pillar 2: operational issues of risk management

Pillar 2Operational issues of risk management

www.pwc.com/solvencyII

2011 was a crucial milestone for insurance companies on the path to Solvency II compliance.

March 2012

so/mco.cwp.www

IIycnevlo

ralliPtarepO

maksir

2 seuss ilaoni

tnemegan a of

l aicurs a ca1 w102narusnor ie f for iontselimtae phs on teinapommpccnailpomI cy I II cccy InevloS

210 2hrcMa

e cno h tt

.ec

2 PwC Pillar 2, operational issues of risk management

Contents

Overview 4

1. Theoretical approach 6

1.1 General provisions of Pillar 2 8

1.2 What does the Directive say? 9

1.3 What do the implementing measures say? 12

1.4 COSO II - ERM 16

2. Operational implementation 20

2.1 Defining the risk management system 22

2.2 Implementing the risk management process 34

2.3 Managing cross-business projects 45

Overall conclusions 58

Contacts 59

This PwC White Paper focuses exclusively on thechallenges of implementing the new Solvency IIrequirements. It provides the insurance industry with asingle concrete methodology and framework, completewith milestones, for adapting the principles of Pillar 2 totheir organisations.

PwC Pillar 2, operational issues of risk management 3

Foreword

This White Paper is being issued at a crucial point in the Solvency II regulatorycalendar. The challenge of ensuring compliance with Pillar 2 – the cornerstone ofsolvency risk prevention – is becoming clearer. The initial work on Level 2measures concerning the system of risk governance is in its final stages. Themeasures for Level 3 began in 2011 and accelerated towards the end of the year,despite the fact that from January 2011 the Omnibus 2 Directive allowed fortransitory measures as well as a grace period under certain conditions and forcertain points.

In this uncertain, but already well advanced, regulatory context, the priorities ofthe insurance industry are concentrated around Pillar 2, which involves theoperational application of a risk strategy which is compliant with the Directive’sprinciples and obligations. These new obligations go to the heart of business andorganisational management. They also represent an opportunity for companies tooptimise their operational performance. In this respect, the documentedprocedures of Own Risk and Solvency Assessment (ORSA) offer a path togroundbreaking management of solvency over a strategic horizon of three to fiveyears.

PwC assists insurance companies in their projects and has worked side by sidewith them on risk management issues, including drafting the COSO 2-ERMstandard. This White Paper is aimed at extending our contribution to compliancewith Solvency II.

Paul Clarke Jimmy ZouGlobal Solvency II leader Solvency II leader (France)


Overview

On the long journey towards compliance with the newSolvency II regulations, insurers (insurance andreinsurance companies, mutual insurers and insurancecooperatives) are at a crossroads: having thus farfocused on the quantitative aspects of the Directive,referred to as Pillar 1, they are now turning towards themore complex qualitative obligations of Pillar 2.


In 2010, insurance companies concentrated on assessingtheir ability to build accurate risk models, based on the newframework, and to measure the impact of these requirementson the amount of capital required for the 1 January 2013implementation. Companies have also recently finalised theQIS 5 exercises, which provided the opportunity to conducta first dry run to test calculation methods and processes.During this phase, the final adjustments necessary toimplement a process for drawing up economic assessmentsand calculating solvency capital requirements (SCR) were made.

In early 2011, the work concentrated on Pillar 2 of Solvency II,which required companies to challenge their own riskculture, define – or redefine as needed – risk governance andstrategy and consider the operational implementation of therisk management function. As the keystone of the Directive isbased on risk control, Pillar 2 compliance therefore raisesmany questions for insurance companies. These toughquestions often strike at the heart of business managementprocesses.

Questions you might ask yourself include: What exactly doSolvency II regulations require? How should, or how can,these provisions be applied to my company? What constraintsand determining factors are used to configure an operationalrisk management system as accurately as possible? What arethe specific sub-projects that fall under Pillar 2 requirementsin my overall compliance project?

The main difficulty shared by all of our clients, which weaddress in this White Paper, is how to interpret and apply theregulations properly to individual companies in orderto create a risk management process that meets therequirements in an appropriate and efficient manner.

This paper is designed as a toolbox for those involved inthe organisational aspects of Solvency II compliance.Following a brief overview of the regulatory requirementsand the ERM framework, we break down the operationalissues involved in Solvency II compliance projects (riskmanagement function, organisation and governance of theoverall risk management processes, scoping of ‘cross-business’ projects such as data quality and ORSA). We alsohighlight the fundamental questions and, based on concreteexamples, sketch out the main operational approaches toanswering them.

As such, this paper is mainly directed at operational Solvency II compliance project coordinators, projectmanagers and heads of risk. It should also provide usefulinformation for the managers and directors of insurancecompanies. Currently many insurers face difficult choices infinding the right balance between compliance requirements(which can seem excessive) and adapting them to theircompany’s internal environment (a strict compliance or‘best-in-class’ approach to risk management?). We hope thatyou will find the guidelines developed below useful in yourcompliance work.

“Through its cross-disciplinary approach, this WhitePaper clearly presents the key points of riskmanagement and provides illustrations of potentialsituations. This document reassures us on ourapproach and gives fresh insight into certainoperational strategies for Pillar 2 projects.”

Christophe Raballan, Head of Risk Management andInternal Control, MAIF


1. Theoretical approach


Introduction

Under Solvency II, all companies must demonstrate that they have implementedan adequate and efficient risk management system. The two main vehiclesused are:

• The regulatory framework of Pillar 2 is the principal vehicle. Its provisions,outlined in a small number of articles in the Directive, cover regulatoryrequirements relating to the operational structure of risk management.These articles are further developed in implementing measures, some of whichare currently under discussion.

• The technical framework, COSO 21 ‘Enterprise Risk Management’ or ERM,which is most often used to understand what effective risk managementcriteria are. Rating agencies have now included ERM performance as anevaluation criterion in and of itself.

In this report, we have provided a summary of the main provisions and conceptslisted in these frameworks.

1 COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, a non-profitcommission which in 1992 established a standard definition for internal control and created a framework toevaluate its efficiency.


1.1 General provisions of Pillar 2

Pillar 2 covers all of the required risk management principles and practices relating to the risk and capital estimates coveredby Pillar 1. The main provisions fall into the following four major categories:

The main difficulty in getting to gripswith Pillar 2 is that the articles andimplementing measures define theunderlying principles but offer nostandards as to its practical application.These principles must be interpreted

and adapted to apply to the internalenvironment of your organisation.

In light of this, we focus on theorganisational aspect of Pillar 2,namely the governance issues for the

risks covered in articles 41 to 49, andthe Level 2 and 3 measures currentlybeing defined and discussed betweenEuropean Insurance and OccupationalPensions Authority (EIOPA) and theEuropean Commission.

Risk governance(Art. 41 to 49)

New supervision process (Art. 27 to 39)

Internal model(Art. 120 to 126)

• General governance requirements (segregating responsibilities, managing conflicts of interest, etc.)

• Principle of proportionality of the risk system in relation to the complexity of the risk profile

• Definition of key functions in risk management and the scope of the risk system

• Fit and proper requirements for the main risk management roles

• Good conduct principles in terms of remuneration

• A new supervisory review process based on permanent dialogue with the regulator and in which the company bears the ‘burden of proof’

• The option of the regulator to sanction any quantitative or qualitative divergence from expected standards through ‘capital add-ons’

• Requirement to show that the internal model is used effectively in monitoring (operational risk management, capital allocation)

• A concrete assessment based on nine principles (adoption by management, accurate reflection of risk profile, etc.)

• Internal validation process for the model...

• … and model sensitivity and stability tests.

Own risk and solvency assessment (ORSA) (Art. 45)

• A set of processes and procedures used to identify, assess, monitor, control and report internal and external long-term and short-term risks that an insurer faces or could face. These risks are used to determine the company’s capital requirement to ensure its solvency at all times.

• The ORSA covers the regulatory requirements of Pillars 1, 2 and 3

Figure 1: The principal provisions of Pillar 2

Source: PwC


1.2 What does the Directive say?

The European Solvency II Directive establishes the ground rules for good governance as a complete system composed offunctions and rules used by regulators and models for appropriate decision-making procedures. The system for riskgovernance (defined in Article 41) features seven main components, each with set expectation levels. These components aredetailed in an article focused on the Directive, as illustrated below.

Fit and proper requirements (Art. 42 + 43)

Risk management (Art. 44)

ORSA (Art. 45)

Internal control (Art. 46)

Internal audit (Art. 47)

Actuarial function (Art. 48)

Outsourcing (Art. 49)

GOVERNANCE (Art. 41)

Art. 41 – General governancerequirementsArticle 41 introduces the main themesdeveloped in Articles 42 to 49, butabove all emphasises that, “insuranceand reinsurance undertakings [shall]have in place an effective system ofgovernance which provides for soundand prudent management of thebusiness.”

Art. 42+43 – Fit and properrequirementsArticle 42 stipulates that “all personswho effectively run the undertaking orhave other key functions [shall] at alltimes fulfil the following requirements:

their professional qualifications,knowledge and experience areadequate to enable sound and prudentmanagment (fit); and they are of goodrepute and integrity (proper).”

This information must be reported tothe supervisory authorities in the eventof any changes and must bedocumented.

Art. 44 – Risk managementsystemArticle 44 states that “insurance andreinsurance undertakings shall have inplace an effective risk-managementsystem comprising strategies, processes

and reporting procedures necessary toidentify, measure, monitor, manage andreport, on a continuous basis the risks,at an individual and at an aggregatedlevel, to which they are or could beexposed, and their interdependencies.

That risk-management system shall beeffective and well integrated into theorganisational structure and in thedecision-making processes of theinsurance or reinsurance undertakingwith proper consideration of thepersons who effectively run theundertaking or have other keyfunctions.”

Figure 2: Risk governance

Source: PwC


Article 44 describes limits in thescope covered by risk management(underwriting, asset-liabilitymanagement, investment, operationalrisk management, liquidity andconcentration risk management,reinsurance and, in part, the internalmodel). It stipulates that these riskmanagement policies must bedocumented.

To recap, the Directive:

• presents the risk managementfunction (hereinafter referred to asthe ‘risk Function’) as an efficient,mandatory function integrated intothe organisation

• limits the scope of risks covered –notably risks used to calculate SCR,but not necessarily limited to justthese risks

• describes the specific responsibilitiesof this function, acting as the overall‘conductor’ for the system and ‘pilot’for the internal model, if applicable.


Art. 45 – Own risk and solvencyassessment (ORSA)Article 45 states that as part of itsrisk management system, everyinsurance and reinsurance undertakingshall regularly “conduct its own[proportionate and documented] riskand solvency assessment” to determinethe Solvency Capital Requirementrisk measure and calibration.

ORSA essentially covers three majorpoints:

• as applied, ORSA shows whether ornot the risk management processesdeveloped by the organisation areappropriate

• it is integrated into business strategyand is taken into account in theorganisation’s strategic decisions. Itsanalyses and reports are taken intoaccount by decision makers

• the assessment can be performedfollowing any significant change inthe risk profile of the organisation.

Art. 46 – Internal controlArticle 46 states that “Insuranceand reinsurance undertakings shallhave in place an effective internalcontrol system [including at least]administrative and accountingprocedures, an internal controlframework, appropriate reportingarrangements at all levels of theundertaking and a compliancefunction.”

Art. 47 – Internal auditArticle 47 stipulates that “the internalaudit function shall include anevaluation of the adequacy andeffectiveness of the internal controlsystem and other elements of thesystem of governance… [and] shall beobjective and independent from theoperational functions.”

Art. 48 – Actuarial functionArticle 48 describes the actuarialfunction as an assessment function thataims to “coordinate the calculation oftechnical provisions; ensure theappropriateness of the methodologiesand underlying models used as wellas the assumptions made in thecalculation of technical provisions;assess the sufficiency and quality of thedata used in the calculation of technicalprovisions; compare best estimatesagainst experience; inform theadministrative, management orsupervisory body of the reliability andadequacy of the calculation of technicalprovisions; oversee the calculation oftechnical provisions..., express anopinion on the overall underwritingpolicy; express an opinion on theadequacy of reinsurance arrangements;and contribute to the effectiveimplementation of the riskmanagement system...”

Art. 49 – OutsourcingFinally, Article 49 informs us that“insurance and reinsuranceundertakings remain fully responsiblefor discharging all of their obligations...[when outsourcing] functions or anyinsurance or reinsurance activities”.The outsourcing of activities must notimpact the governance system,business, operational risk or the abilityof the supervisory authorities tomonitor compliance.

Moreover, undertakings shall notify thesupervisory authorities prior to theoutsourcing of “critical or important”functions or activities.


1.3 What do the implementing measures say?

The Solvency II provisions concerningthe organisation and risk governancesystem are based solely on the guidingprinciples. The regulators want eachorganisation to be responsible fordetermining its own organisationalstructure, and have therefore definedonly key functions and very generalrequirements. To help interpret Articles41 to 49, the regulators have,nonetheless, given some specifics.

These specifications on the riskmanagement system are provided inthe Level 2 measures in the document“Advice for Level 2 ImplementingMeasures on Solvency II: System ofGovernance” (from Consultation Paper33), published in October 2009. Level 3measures, currently in preliminarydiscussions, are based on the samearchitecture and are expected to clarifycertain points, depending on the levelof the regulators’ requirements.

Essentially, under these requirements all companies which are subject toSolvency II must demonstrate that, inline with these principles, they have anoperational system for managing andoverseeing its risks which guarantees:

• a true understanding of the risksto which the company is exposed(risk profile) and a reasonableassessment of its exposure at anygiven time

• a real operational risk managementmechanism, i.e., key componentsare in place, and each componentcan do what it is supposed to do

• reporting of required informationand the ability of the regulatoryauthorities to make the necessarydecisions.


These provisions clearly form a minimal regulatory base. The principles are very broad: each organisation must specificallyadapt them to its size, its expertise and the complexity of its risk profile. This is what is referred in the legislation as the‘proportionality principle’. However, the scope of this principle and the level of the ‘leeway’ allowed for different organisationscurrently remain unclear.

System of governance (SG 1, SG 2, SG 11, SG 13)• A clear, robust and well-documented system to encourage organisation

• of of interest, ‘four-eyes principle’, documented of and proper requirements for all key functions

Risk management (SG 3, SG 4, SG 7) (see focus)• Clearly documented processes, procedures and policies

• A minimal scope of the ‘risk areas’ to be covered: underwriting, reserving, ALM, investments, liquidity and concentration, operational risk, reinsurance and other risk-mitigation techniques

• Responsibilities: (i) ERM architect and coordinator, (ii) producing aggregated risk (iii) reporting on risk exposures and (iv) identifying and assessing emerging risks

Compliance function – internal control (SG 5 and SG 8)

• Reference to COSO framework (control environment, control activities, communication, etc.)

• Responsibilities: (i) compliance of operations, (ii) management of operational activities and (iii) reliability of and information

• An independent, impartial and stand-alone unit with expertise in all businesses and processes fully within its scope

• Requirement to issue an annual report based on an audit plan with a risk-based approach

Actuarial function (SG 10)• Responsibilities: coordinating the calculation of technical provisions, assessing the appropriateness of data

methods and quality, back-testing best estimates and providing management with formal opinions on the reliability of models (formal report)

Outsourcing (SG 12) • Obligation to ensure that outsourcing does not negatively impact service quality or global operational risk exposure

• Formalised, comprehensive processes and policies covering all areas of an outsourcing project (selection, contract, monitoring, etc.)

Internal audit (SG 9)

Figure 3: A summary of the provisions

Source: PwC


Focus on Level 2 measures In the Level 2 text, Article SG3 givesEIOPA’s opinion on risk managementefficiency and provides the followingadvice:

a) Risk management strategymustbe clearly defined and welldocumented. This strategy must setrisk management objectives and keyrisk management principles, definethe organisation’s risk appetite andfinally describe the roles andresponsibilities of the riskmanagement function across thecompany and in accordance with itsbusiness strategy.

b) Risk management policies must beput in writing and adapted. Theyinclude naming and definingthe risks to which the organisation isexposed, classifying them by type and limits of acceptability.The risk management systemmust apply strategy, facilitatethe implementation of controlmechanisms and take into accountthe nature, scope and time horizon ofthe business and the associated risks.

c) Risk management processes mustbe appropriate and proceduresadapted in order to identify, assess,manage, monitor and report risks.

d) Risk reporting procedures mustbe appropriate as must thefeedback loops that ensurereporting. These procedures arecoordinated and challenged by therisk management function and areactively controlled and managedby all relevant staff.

e) Reporting documents submitted tothe above-mentioned bodies by therisk management function refer tothe risks (potential or actual)associated with the business of thecompany and the operationalefficiency of the risk managementsystem.

f) Lastly, ORSA must be adapted tothe company’s activities.

Special case of ORSAORSA is a hot topic that was covered inthe Level 3 measures that wereaddressed by EIOPA in the second halfof 2011 as well as during a conferenceon Pillar 2, governance and ORSA heldby the Autorité de Contrôle Prudentiel(Prudential Control Authority or ACP)during the second quarter of 2011.

Despite the importance of this process,Article 45 was not described in any textrelating to Level 2 measures. CEIOPSpublished an Issues Paper entitled“Own Risk and Solvency Assessment(ORSA)” dated 27 May 2008.

As presented to date, ORSA is a processdesigned to ensure that the company isable to calculate and manage its risksand that its capital needs are met.However, certain characteristics shouldbe highlighted. (see chart below):

• ORSA is the responsibility of seniormanagement, in charge ofoverseeing the process and itsresults with respect to the regulator.

• It is a documented risk managementprocess that must be submitted tothe supervisory authority at regularintervals (at least once a year) andfollowing any significant change inthe insurer’s risk profile.

• It is an integral part of the day-to-day management of the company(commercial policy, investmentstrategy, capital management,acquisition strategy …).


• It offers a holistic and forward-looking approach to managing risk(risks used to calculate SCR andother risks – reputational risk,strategic risk, macroeconomic risk,political risk, etc. – to which thecompany is exposed over itsstrategic planning period,traditionally three to five years)across the full scope of the Group(all European entities and thoseoutside the EC under the Group’ssupervision).

• It allows all organisations to showthat they can raise the capitalnecessary to cover solvencyrequirements for the strategicplanning period (as opposed tothe one-year horizon used tocalculate SCR).

• The risk assessment in the ORSAprocess represents the company’s‘own’ view of its risks, taking the riskmodules identified in the SCR

calculation, namely the differencein the number of risks identified,how they are measured, i.e., theconfidence interval to which theformula is calibrated. Furthermore,the company may use either astandard formula approach or aninternal model to assess its riskexposure. The methodology must beproportionate to the complexity ofthe company’s activities and thetypes of risks involved.

“The main issue is knowing how to implement the keyfunctions and a governance system that are compliantwith the Solvency Directive and compatible with joint-management structures. The Directive draws mainlyon concepts applicable to corporations and jointmanagement entities as opposed to mutuals, which arebased more on the principles of solidarity,compensation and retrocession.”

Albert Cohen, Risk and Solvency officer, Réunica

é• Strategic objectives• Risk strategy• Valuation of strategic

scenarios• Capital strategy• Use of capital and financial resources

• Strategic allocation• Reinsurance and

other hedging• Business decisions• Forecast timeline

• Risk identification• Qualitative analyses• Control assessment• Prioritisation and classification of risks• Risk profile• Risk management policies

Business strategy

• Economic assessment

• Best estimates• Risk parameters

and assumptions• Analysis and

estimates of capital

• Stress test and scenario

• Fungibility of capital • Capital assessments

(internal, S2, etc.)• Reconciliation of

these assessments

Solvency management and measurementRisk analysis and assessment

• Business environment• Emerging risks• Long-term risks• Macroeconomic environment• Regulatory framework (S2)• Changes in legal environment• Social trends

External environment

• Regular monitoring of risk profile• Solvency management and monitoring• Risk appetite and tolerance • Frequency of assessments• Support for strategic decisions• Risk governance documentation• Disclosure (Pillar 3)

Decision-making process

Figure 4: Risk management system

Source: PwC


1.4 COSO II – ERM

BackgroundThe COSO framework on internalcontrol was set out as early as 1991 andtoday is an international benchmarkused by companies that want theirinternal control system to be up tostandard. Since 2002 it is theframework used by internationalcompanies to assess their compliancewith the Sarbanes-Oxley Act, whichrequires management to assess andreport on internal control every year(Section 404/SEC Proposals – October2002 – and ASB – March 2003),affirming “the responsibility ofmanagement for establishing andmaintaining an adequate internalcontrol structure and procedures forfinancial reporting”.

This framework is closely linked to theuncertainty and concerns raised by thecorporate scandals in the early 2000s(Enron, Parmalat, Worldcom, etc.).It was originally designed to providea standard for structuring internalcontrol systems. However, it hasevolved as companies have realised thatthe strict perspective of internal controlwas too limited and didn’t allow for allpossible risks to be understood andcontrolled. ‘COSO II– ERM’2 wasintroduced in 2004, broadening anapproach that aimed to manage andsecure operations through controlmeasures including:

• an overview of all types of riskpotentially faced by an organisation,

• establishment of different ‘blocks’ atwork in global risk management,and

• the integration of risk managementresults into business management.

There is a direct relation between acompany’s objectives and the riskmanagement components required toachieve them. The famous ‘COSO cube’is a three-dimensional matrix thatillustrates the relationship betweenthese components.

2 COSO, “Enterprise Risk Management – Integrated Framework”.


PresentationA company’s objectives (represented bycolumns) fall into four main categories:strategic, operations, reporting andcompliance. The eight riskmanagement components are the lines,and the entity units are the thirddimension. This matrix shows how toapproach risk management globally, byobjectives category, component or unitor any combination thereof.

As illustrated above, the COSOframework is the underlying structurethat supports the main concepts used byall those involved in risk management:risk strategy, risk appetite, risk profile,risk measurement, reporting onexposure, and so on.

The main purpose of the frameworkis to provide a way of integrating riskinformation into the enterprise’sdecision-making and strategicprocesses. By following this advice, anyenterprise can manage its performance(according to the criteria it definesindependently and specifically for itsbusiness) with respect to the amountof risk necessary to achieve it.

ERM can now be viewed as anoperational process based on COSO II,providing decision makers (managers,directors) with reasonable assuranceas to the management of risks actuallytaken in application of strategicobjectives and within the limitsof a globally defined risk appetite.It facilitates the management ofuncertainty, risks and opportunities,the identification of events that couldgive rise to risks and the definition ofsuitable internal control solutions.

FILIALE

Risk management

Risk profile

Measurement system

Policies and processesPolicies and processes

Risk control

Reporting system

Decision-making

s

Strategic

Operations

Reporting

Compliance

Internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring

SU

BS

IDIA

RY

BU

SIN

ES

S U

NIT

DIV

ISIO

N

EN

TITY-LEV

EL

Figure 5: COSO II framework

Source: PwC


Since risk is the essence of insurance,one can immediately see the benefit ofa framework that addresses theunderlying principles and covers:

• The definition of strategic objectivesby the decision-making bodies.

• The identification of risks resultingfrom the efforts made by thecompany to achieve these objectives– risk may refer either to threat inattaining objectives or opportunityto be pursued in order to achievethem.

• The implementation of an effectivesystem for managing the exposureto these risks.

• The notification and reporting ofrisk exposure and failures to therelevant managers.

To integrate risk into managementprocesses, risk management must‘permeate’ throughout all the levels andprocesses of the enterprise.The system is aligned with theenterprise’s organisational model,which breaks down into the followingcomponents:

• The strategic dimension:How do decision-making bodiesintegrate risk into their processes?How do they define the limitsof risk acceptability (i.e., what isauthorised to achieve objectives,what is avoided or proscribed)?

• The organisational dimension:What functions are involved in riskmanagement? What processes areused? How are these analysesrelated to solvency levels forinsurance companies?

• The operational dimension:How does the undertakingimplement risk measurement toolsand resources so as to benefitfrom them fully? What are thereporting channels?


Conclusion

COSO II – ERM, designed as a standard and operational framework, providesthe main elements and overall approach for a risk management process. Solvency II adds two specific organisational and business requirements. Insurersmust specify the functions involved in their risk management and integrate riskand solvency assessment into their five-year business planning models usingORSA.

The great challenge of Pillar 2 lies in assessing how to interpret, adapt andimplement these frameworks within an organisation. In order to be successful,they must be fine-tuned, correctly calibrated and adapted to the specificcharacteristics of your business, the complexity of your organisational structureand your ‘risk culture’.


2. Operationalimplementation


Introduction

Not all companies place the sameimportance on risk management. Theirchoices naturally differ given the heavyinvestment required to set up an overallrisk management process, compliantwith the principles and obligations ofSolvency II. These choices are difficultto make and objectify, involve topmanagement and must be made in thecontext of the business’ overall strategy.

Our goal here is not to provide a‘magic formula’ that solves thechallenges you face in implementingyour Solvency II projects. Instead,we list the key factors that willdetermine your choice of structurealigned with the three key dimensionsof the compliance programme.

They are:

• Calibrating/fine-tuning the overallstructure of the risk managementprocess.

• Implementing the risk managementprocess.

• Overseeing the key cross-businessprojects.


2.1 Defining the risk management system

The integration of a risk managementframework into a company that has along history of processes, expertise,habits, styles and decision-makingbodies is a complex task. Given theextent of the changes and the length oftime some established practices havebeen in place, implementing a riskmanagement process requires complete

involvement from all players concerned(first and foremost seniormanagement) throughout the process.

If the main ‘new’ concept consistsof development or implementationof a risk management function,Solvency II projects now go as far asdefining organisational structures for

the entire risk management process,encompassing all of the functions,processes and bodies involved in riskmanagement.

Our experience has shown us thatto do so, five main questions mustbe answered:

The answers to these questions are determined by complex constraints, which may be regulatory (Solvency II), external(ratings, etc.) or internal (goals, organisation, etc.).

1

2

4

5

3

• What organisational building blocks fall within the scope of the risk management function: Risk management? Actuarial function? Compliance? IT system security?

What are the organisational building blocks in the system?

• What functions have a key role in risk management?

• What are their responsibilities (control, monitoring, reporting, etc.)?

What should be the scope of the risk management system?

• How are prerogatives coordinated between central and local risk functions, particularly at foreign sites?

• What delegation rules should be put in place?

How are the different functions coordinated?

• Exactly how should responsibilities be broken down between the risk management function and business functions in respect of key risks (ALM, investment, technical issues, etc.)?

How centralised should the risk management system be?

• What fundamental indicators govern the risk/return trade-off (ROE, SCR, MCEV, etc.)? What criteria concretely reflect risk appetite?

How should the added value of ERM be measured?

Figure 6: Risk management process

Source: PwC


2.1.1. The ‘organisational buildingblocks’ of the system

It is essential to recognise and definethe scope of functions involved in riskmanagement. In fact, it is not simply aspecialist area; its managementinvolves every level of the company. Ateach level the system must integrate thedifferent elements: operational risk-taking, coordination of risk-taking andsupervision of risk-taking.

The ‘three lines of defence’ modelprovides a useful framework withinwhich these various functions andelements can work together.

• Front Office business staff haveprimary responsibility for the risksthey take, and risk managementpractices and processes in place atthis level constitute the ‘first lineof defence’.

• The ‘second line of defence’ is heldby specialised risk managementfunctions. Their role is to design,coordinate and manage a consistentframework for taking risks, butwithout being directly exposedto business risk. This covers thekey functions of risk management asdefined by Pillar 2 (riskmanagement, internal control andcompliance).

• The regular, independent, risk-based audits performed by theinternal audit function providereasonable assurance as to thepertinence and correct operationof the system. This is the ‘third lineof defence’.

Building on this framework, companiesgenerally define the main principlesfor coordinating the different stratainvolved in taking risks, as illustratedoverleaf. The organisational diagrammost often defines responsibilities ateach step in the risk managementprocess. These principles then serveas a basis for assigning specific riskmanagement roles and responsibilitiesin accordance with the risk profile.


Two challenges often arise whenimplementing these principles:

• The risk management function mayhave different responsibilitiesdepending on the type of risk.Acting as a coordinator, it may takeon direct responsibility in certainareas such as operational risk.These details are outlined in theanalysis of the risk function’sposition (see below).

• Internal audit has a special role inthe system that is often difficult toposition. The provisions of theSolvency II Directive place greatemphasis on the independentnature of this function. Its resourcesmust be free of any otheroperational responsibility.According to the Institute of InternalAuditors, the purpose of internalcontrol is to independently providemanagement with reasonableassurance as to the pertinence,quality and appropriate applicationof the risk management system.It is easy to understand why thisfunction must be independent inorder to establish its own approach(based on its perception of risk)and express opinions free of anyoutside influence.

First line of defence Second line of defence Third line of defence

‘Operational’ functions ‘Specialist’ functions ‘Risk’ functions ‘Assurance’ function

Scope All functions (IT, HR, Finance, Production, etc.)

- Actuarial/Technical Dep.

- ALM/Investment Dep.

- Other (underwriting, etc.)

- Risk management

- Internal control,

compliance, etc.

Internal audit

Principles and standards N/A Proposes

Reviews and approves/proposes

Carries out independent, empirical reviews on: - appropriateness of

systems

- their correct application

Implementation Applies Proposes/applies Coordinates/applies

Controls Applies/proposes Applies/proposesSupervises, consolidates,

analyses

Reporting Produces Produces/analysesConsolidates, analyses,

manages

Action plans Applies Proposes/appliesApproves and manages/

applies

Coordinator role/operational role

Figure 7: Three lines of defence

Source: PwC


2.1.2. Scope of therisk management system

Solvency II places the risk function atthe core of the risk managementsystem. Regulations defineresponsibilities and a scope ofminimum risks on which the function isbased. If a company uses an internalmodel, the function is in charge ofdesigning, testing, implementing andmonitoring the performance of themodel, either in part or in totality. Mostcompanies naturally launch Pillar 2projects by putting in place orreviewing the positioning of the riskfunction. It is in charge of overseeing allrisk management processes (seeabove), even if it does not directly carryout the operations, analyses andcalculations required in this process.

The reference for definingthe risk profileWhen a risk function is set up, its firsttask is to identify the risks to which thecompany is exposed. Although eachcompany faces its own specific set ofrisks, defining a risk profile follows afew best practices.

The first involves the scope of risks, whichmust be identified in the risk profile:

• It must cover at least the basic riskmodules used to calculate capitalrequirements, whether determinedbased on a standard formulaor an internal model, namelyunderwriting, market, interest rate,operational, etc.

• It is not, however, limited to justthese risks, as they are too limitedto give a true picture of the actualrisk profile. The risk function mustidentify other risks that are specificto the company, taking account ofall its subsidiaries and businesses(not necessarily insurance alone) aswell as specific risks related to thecompany’s structure.

The risk function must also bear inmind that this risk profile is not merelyan inventory of all the potential oractual risks:

• Based on its analyses and the pointsof view covered, it prioritises therisks that must be monitored.Its added value lies in its ability toprovide a ‘shortlist’ of risks thatjustify investing in measurement,monitoring and permanentsupervision, based on the company’sbusiness objectives.

• As such, this management tool isdeveloped by combining the ‘riskphilosophy/vision’ of operationalstaff (a bottom-up approachto risk management based on thecomprehensive identification ofrisks) with that of management(a top-down approach wherebyinvestment in risk management isjustified and prioritised).


Finally, the risk function ensures thatan operational risk management systemis in place and that it covers all the riskprofile components. Each risk must beassigned to a risk ‘owner’ who is the‘subject matter specialist’ available inthe company: i.e. actuarial departmentfor underwriting, certain counterpartyand reinsurance risks, assetmanagement for market and creditrisks, and so on. Assigning a risk owneris the first step in implementing anoperational risk management system.The components in the riskmanagement process are set out belowin section 2.2.

The evolving risk function underSolvency IIAbove and beyond the purely technicalaspects, companies have enhancedthe risk function’s ‘right of inspection’ inoperational decisions. This notion fullycovers the risk department’sprerogatives in terms of processes,policies and risk-taking for which it isnot the leading expert. In reality, therisk function’s involvement is in linewith the strategic priority associatedwith the risk:

• A company may take a conservativeapproach to risk, its priority beingnot to compromise the protectionoffered to policyholders and toensure performance. In this case,the risk function would take on anadvisory role, assisting operationalmanagers in their processes andassociated risks. It has little (or no)latitude to block decision-makingprocesses.

• A company may decide to base itsvalue creation on managing therisks it takes and the impact of theserisks on its strategic variables:market consistent embedded value(MCEV), market capitalisation,economic capital, etc. In this case,the risk function takes on anessential role in operational

decisions. It is a full stakeholder inthese processes, is consulted for allimportant decisions and issues aformal opinion. It may have thepower to block decisions (which inturn requires an arbitrationprocess). These companies almostsystematically use an internal modelthat is integrated into their strategicand operational decision-makingprocesses.

Companies gradually advance alongthe ERM maturity curve between thesetwo ends of the spectrum. As the ERMprocess develops, the positioning of therisk function evolves:

• The position of the risk functiontends to rise within the company’shierarchy. Nowadays it isincreasingly attached to uppermanagement, indicating anunderstanding by them of theimportance of the ERM in insurancecompanies.

• The role of the CRO is evolving.Often seen initially as a conservativeand technical profession, it willgradually develop into that of abusiness adviser who works withdecision makers. With a uniqueunderstanding of the risks taken bythe company and how they interact,a CRO can offer advice on how tocreate value.

• The resources required to take onthese functions have grown sharply.Risk departments were initially setup to meet successive regulatoryrequirements (anti-moneylaundering, anti-fraud and so on)but have since developed into morerefined structures, most oftenbroken down by types of risk(operational, technical, economiccapital, etc.). These resources aremore numerous, more highlyqualified and more specialised.


2.1.3. Coordinating different functionsinvolved in risk management

Once the basic components of thesystem have been identified andcalibrated, the challenge for the riskfunction is to promote theimplementation of an efficient risksystem underpinned by clear, shareddecision-making processes. To do so,the risk function has two main levers.

The definition of the rolesand responsibilities for theprincipal risksTo do so, the risk function moveson from establishing the risk profileto coordinating the roles andresponsibilities for each of the risksincluded in the profile. The mainchallenge lies in the diversity andheterogeneous make-up of the riskfunctions and risk owners. Riskdepartments must first harmonisethe various risk managementsolutions proposed.

While the three lines of defence modeloutlined above provides a generalframework in this regard, thisharmonisation process must bespecifically adapted to each risk in theprofile. It is therefore necessary to:

• Map the appropriate functions tohandle this risk: businesses,support, management orgovernance, etc.

• Pinpoint the best subject matterexpert within the company tomanage this risk (generally the riskowner identified in the systemimplementation phases upstream).

• Clearly define the roles andresponsibilities of each playerinvolved in the process. Closeattention should be paid to thesupport functions’ power to blockprocesses (typically the riskfunction) as opposed to the relevantoperational functions. The notionof ‘right of inspection’ foroperational decisions should bespecifically defined. This right inturn requires the establishmentof a clear arbitration process in caseof a conflict between the riskdepartment and the business lineconcerned.

“Implementing Solvency II, and particularly Pillar 2, will require greatercoordination between all participants in risk management. The process will drawon existing management rules, which themselves will need to be strengthened. Theresulting discipline will create growth opportunities and strengthen relations withcustomers, while guaranteeing all stakeholders (employees, shareholders,customers, etc.) improved control of risk and its impacts on business structure.”

Ronan DAVIT, Head of Risk, Euler Hermes Group


The matrix below is an example of the types of roles and responsibilities involved, offering a simple method for establishing aclear distribution of roles.

The implementation of adecision-making architectureEven the best-designed riskmanagement system will only beefficient and effective if an operationaldecision-making architecture has beencodified. It must ensure first that alluseful information is reported to theappropriate committees and otherdecision makers in a timely manner.Second, it must ensure that thesebodies review the issues at hand andmake the necessary decisions. Thecompany is then in a position tocontinuously manage its risk exposureand react promptly to any unexpecteddeviation in its risk profile.

The structure of the decision-makingprocess is specific to the culture of eachcompany and is in line with its positionon the ERM maturity curve. However,the review or implementation of thedecision-making architecture followsseveral key steps:

• Define the key organisational levelsin risk decisions, which oftencorrespond to the company’s maindecision-making levels (executivecommittee, key functions in risk-taking, operational staff, etc.). Theyare defined in line with the rolesand responsibilities identified foreach type of risk in the risk profile.

• Prioritise the types of risk thatrequire formal supervision on aregular basis. The company mustformally define the responsibilitiesrequired at each organisational levelin line with these priorities (globalsupervision, definition of practices,monitoring and reporting, etc.).

• Design ad hoc decision-makingbodies at each level: type ofcommittee, members, voting rights,assignment of roles, meetingfrequency.

Investment management

Responsible(ultimate responsibility)

Implementer(oversees operational

implementation)

Consulted(opinion requested systematically,

published and taken into account in the decision)

Informed(regularly informed of new management decisions)

Board of Directors (through the risk committee): takes responsibility for global supervision

General Management: approves and monitors investment policy

Investment Department: submits strategic allocation plan for validation, defines tactical allocation specifics, monitors implementation

Risk Department: issues an opinion on the Group’s and the entity’s total exposure to market risks and overall solvency level. If it issues an unfavourable opinion, the case is submitted to the executive committee for arbitration

Cash Department (Financial Department): informed of all changes in investment policy, receives a copy of all investment flows

Figure 8: Investment management roles and responsibilities matrix

Source: PwC


As such, the structure of the company’s system of committees can be consistent throughout, as illustrated in theexample below:

The close relationship betweenrisk management and riskcontrolOne of the main lessons learnt from thefinancial crisis (notably the Kervielcase) is that efficient risk managementrequires coherent and consistentoperational coordination between:

• the definition of major risk policiesand processes (primarily by the riskdepartment), and

• the appropriate application of thesepolicies and processes by therelevant entities (operationalfunctions, internal control, etc.).

Historically, most insurance companieshave developed internal controlapproaches that are often granular andalways complex. These approachesaimed to identify and to manage therisks specific to certain processes oroperational areas, namely: reliability offinancial reporting processes (SOXprojects), security of informationsystems, anti-fraud or anti-moneylaundering processes, etc.

This work has led companies to focusspecifically on operational riskmanagement. The primary role ofinternal control (or permanent control)is to ensure the appropriatemanagement of the company’s

processes and operations and thereliability of financial and non-financialinformation produced by the company.At the time of writing, work has begunin this area but has seen little or noapplication among insurancecompanies: operational risk is difficultto understand, differs completely foreach company and is not specificallydefined in Solvency II. Furthermore,SCR calibrations for operational riskproduce negligible capitalrequirements, further incitingcompanies not to invest in a complexsystem to manage this risk.

Market Credit Underwriting Operations

Risktakers

Executive Committee

Reporting &mitigation

Risk Committee

Underwriting Committee

Internal Control

Committee

Investment Committee

ALM Committee Reporting Reporting

Figure 9: Committee matrix

Source: PwC


Some market players are currentlyimplementing specific procedures foroperational risk analysis and risk –control coordination. The main onesinclude:

• Gradual merging of risk andcontrol functions under theresponsibility of a single function(most commonly the CRO). Thisensures greater consistency betweeninitiatives that were sometimesfragmented in the past. The primaryfocus is often on compliance, raisingthe question of whether operationalrisk is best managed by legalprofessionals (regulatory watch) orinternal control (integration of legalprovisions into operationalprocesses). The trend clearly seemsto be to: (i) appoint a complianceofficer to take charge of defining thecompany’s main compliance issuesand coordinate the application ofthe relevant legal provisions while(ii) maintaining the legaldepartment’s responsibility for legalmonitoring, setting up a body thatmeets regularly between the twodepartments. Broadly speaking,companies tend to put their riskmanagement function in charge ofsupervising both the effectiveness of their ERM framework and theappropriate application of itsprovisions.

• Definition of the operational risksystem. First of all, operational riskmust be defined. This analysisgenerally reveals that operationalrisk covers any factor that couldcompromise the achievement of theobjectives of operational processes(see the list of risks defined by Basel II) or the appropriateapplication of risk policies asdefined by the company. Somecompanies have taken this a stepfurther: given the sheer volume ofoperational risks, they haveprioritised the critical areas ofexposure and focused their effortsto deploy management systems inthese areas.

• Modelling of operational risk.Some companies have implementeddata collection systems foroperational losses. These systemsare used to assess the company’sreal exposure to operational losses,set up a more coherent managementsystem or even to save on capitalrequirements. To be effective,however, the system’s parametersmust be determined (e.g., by clearlydefining an operational loss and theminimum loss amount for datacollection) and cover an adequatehistorical period. Results aredeemed significant after threeto five years of collection.


2.1.4. The extent of centralisationof the Risk function

Insurance groups are faced with amajor operational difficulty: theoperational scope of the risk function.How do they integrate such diverseentities and businesses that are notnecessarily related to insurance (assetmanagement for complementarypension or social security plans,healthcare and assistance services,strategic investments, and so on.) intotheir analyses and processes?

Although most companies are stilltrying to establish an efficient way ofcoordinating the risk system acrosstheir different entities, the followingbest practices have emerged:

• Aligning risk management processwith the organisational anddecision-making structure withinthe group that is already in place.In a highly decentralised group,the different entities or subsidiariesoften have a local risk functionthat reports to their generalmanagement but falls under the

responsibility of the group’s riskdepartment. In a more centralisedgroup, the group risk departmentoversees legal entities. It may applythe principle of subsidiarity thatdetermines the entities’ leeway, andin this case a ‘risk representative’ isappointed. In either configuration,the risk function is a network-basedstructure.

• Groups, when dealing with all oftheir insurance entities, tend torequire consistent reportingprinciples and structures that aredefined and supervised locally. Thisapplies especially to internationalgroups with foreign subsidiaries orentities in countries not subject toSolvency II. Most often they opt fordouble reporting, with one set ofreports prepared based on localprudential standards while anotheris submitted to the group in‘Solvency II format’.


There are often overlapping principles on the structure of the risk management process, as illustrated in the diagram below.

That being said, there is no standardstructure that is widely shared,especially with regard to the extensionof the risk function to non-insurancesubsidiaries.

In some cases, the problem has more todo with difficulty in adhering to theprinciples of independence in relationto the operational function. Manycompanies have also tried to ‘force’their risk function beyond the strictminimum regulatory requirements. Infact, this function is supposed tobecome more centralised but not all ofthe issues at stake are necessarilyevident in the beginning. Therefore

these companies have added the more‘traditional’ functions to the riskfunction, giving it more substance and importance.

The solutions seen are most oftenbased on the principle of subsidiarity:the subsidiary has considerableautonomy in managing its risks, andthe group only covers the few typesof maximum losses that can begenerated by the subsidiary (notionof ‘subsidiary risk’).

CRO

ERM

ALM

Corporate actuarial

Permanent control

Economic capital

75%

67%

33%

17%

17%

CEO67%

Reinsurance 17%

Based on the benchmark study conducted with 30 of the most important companies in the insurance industry (insurance companies, mutual insurers and pension funds)

Possible organisation chart of risk functionPrincipal responsibilities of the CRO

ERM

ALM

Actuarial

Reinsurance

Permanent control

Economic capital

Internal capital model

Risk management model

Capital management

Market risk exposure

Internal control

Accounting

Solvency 2

Management control

0% 20% 40% 60% 80%

Figure 10: PwC Risk function benchmark

Source: PwC


2.1.5. Measuring key indicators of therisk management system

In working with general management,one of the most fundamental roles ofthe Risk function is to define the keymetrics of risk management. The choiceof these indicators shows theimportance the company gives toefficient risk management in its overallstrategy.

This process is part of the establishmentof risk strategy, as described in the nextsection. However, before beginning,the benchmark metrics must first bedefined. They must feature certaincharacteristics:

• They reflect the main aspects ofthe risk/return trade-off offeredto stakeholders (ROE, servicequality, security of protection, etc.).They can measure the entity’sresilience in some extreme cases(i.e., distribution tails) but remainrealistic and always incorporatethe notion of performance(profitability, etc.).

• They are easily measurable, i.e.,the cost of implementing thecalculation and managementinfrastructure is not prohibitive(especially if it is based on processesthat are already in place) given theadded value of monitoring.

• They are clear and understandablefor those in charge of monitoringthem. It is therefore essential at thispoint to define or validate themwith management bodies, ensuringthat they understand them anddo in fact want to have thesemanagement indicators in place.

In most cases, however, companiesmay use a very limited number of‘fundamental’ indicators to supporttheir ERM approach. Their approachesgenerally combine:

• an income indicator such aspre-tax net income

• a value measure such as MCEV

• a solvency indicator such asthe SCR coverage ratio or economiccapital.


2.2 Implementing therisk management process

The risk management process can be simplified and brokendown into the steps presented in the diagram opposite.Each of these steps features a certain number of components.The purpose of this section is to examine these components,identify the main issues involved and their operationalapplication and provide concrete examples of their application. Defining the risk

framework

Identifying and measuring risks

Managing risks

Monitoring and reporting risks

Establishing strategic capital planning

Figure 11: Steps for implementation of riskmanagement processes

Source: PwC


2.2.1. Defining the risk framework

Articles 44 and 45 require the companyto demonstrate that it has implementedan adequate and efficient riskmanagement system that includes aclearly defined and documentedstrategy for managing and monitoringits risks. The Directive also requires theestablishment of a clearly definedrelation between risk and returnobjectives in this risk strategy.

Components of a risk strategyThe risk strategy provides the means todefine the accepted framework for riskmanagement. The benchmark metricsapplied to risk management are pre-defined, as indicated above. A risk strategy approach is based on five key concepts:

• Risk appetite represents theaggregate level of risk (i.e. at Grouplevel) that a company is prepared totake in pursuit of its business and itsdevelopment. It is a maximumthreshold that is declared bymanagement and is expressed in theform of the accepted deviation ofthe company’s key aggregates fromthe desired outcome.

• Risk tolerance represents the levelof risk that a company is prepared totake in pursuit of its business and its development pertaining to alimited scope. It is a distribution ofrisk appetite at a more specific level.It can be adapted to both broadrisk categories and entities orgeographical scopes.

• Risk limits are defined as theoperational limits in line with therisk budget and/or risk appetite.These limits are specific to theprocesses with which they areassociated.

• Risk profile is the measure of riskexposure expressed in the form of areaction of key financial aggregatesto a shock in an underlying variable.It is measured for a given scope ona given date. It can cover a verylimited scope, such as the mortalityrisk for a specific product at a givensubsidiary, or it can apply to allpossible aggregation levels for thecompany’s entire scope.

• The risk budgetmeasures theanticipated level of risk exposure fora specific timeframe within a givenscope. It measures the risk profilefor a company’s forecast, withidentical levels of granularity.

Risk strategy not only determines theframework within which risks may betaken, but also the terms under whichthese general principles apply withinthe entity. It defines the budgets andtargets adapted to the company’swillingness to take risks in line with thedefined risk strategy.

In coordinating the differentcomponents of risk strategy, a totallyintegrated asset-liability managementmodel is also defined. This strategyis primarily defined through atop-down approach (i.e., defined bymanagement), along with thecontribution of reporting fromoperational staff (bottom-upapproach):

Tolérance au risque

Maximum acceptable riskWhere can we position ourselves in terms of risk?

Target risk profileWhere do we want to position ourselves?

Positioning in relation tocompetition, to regulations, to our specific business

Positioning in relation to our specific business, shareholders’ performance requirements

Perspective for risk appetite defined by the Executive Committee with target risk profile

Appraisal of defined strategy in relation to actual performance with a breakdown by type of risk and by business

Current risk profileWhat is our current positioning?

Description of insurers’ risk strategy

Risk appetiteDocument including the strategy approved by the Executive Committee and its application to risk in terms of competitive positioning (risk capacity, risk appetite) and taking into account the company’s specific characteristics (risk profile)

Risk appetite

Risk tolerance

Marketrisk

Underwritingrisk

Counterpartyrisk

Operationalrisk

Operational application of strategyQuantification of risk and performance

Operational departments

ExecutionRules/procedures

Ris

k g

ove

rnan

ce

To

p-D

ow

n A

pp

roac

h B

ott

om

-up

Ap

pro

ach

Op

erat

iona

l dep

artm

ents

– B

usin

ess

Uni

tsC

RO

– C

FOC

RO

– C

FO –

CIO

Exe

cuti

ve C

om

mit

tee

Control

Methodologies/processesfunctional and

organisational framework

Supervision/reporting

Assessment

Risk management


Figure 12: Description of risk strategies in the insurance industry

Source: PwC


Application of risk strategyA general strategy based on resultsor solvency metrics is not sufficientlyspecific to provide useful operationalguidelines for risk takers. Applyingthis strategy to operational risklimits is therefore crucial to theimplementation of this strategy.

Management involvement is of primeimportance. The different stakeholders(shareholders, market, clients, ratingagencies, etc.) and their respectiverequirements must be mapped out.Understanding these requirements isthe first step in defining the company’srisk strategy and applying it to asystem of operational limits.

For smoother integration of riskstrategy content into decisions, thebudget process must also be updatedto include assessment criteria thattake into account the amounts of risksincurred.

Shareholders’ requirements

Business profile Risk appetite(underlying metrics)

Business plan

Framework of limits

Strategic timeline(3-5 years)

Budget timeline(1-3 years)

Operations(current year)

Application ofperformance

objectives

Application of risk limits

Supervision/management measures

Res

tric

tive

Flex

ible

No

Yes

No

End

Business Plan SupervisionDefinition of limits and target

Draft business plan

Plan application in typical

environment

Defining risk limitsComparing risk profile with limits

Is the BP in line with risk appetite?

Adjustments in Business

Plan

Is the risk profile within defined

limits?

Makingnecessary

adjustments

Taking into account commitments to

policyholders

Yes

Figure 13: Breakdown of risk strategy

Figure 14: The budget process

Source: PwC

Source: PwC


2.2.2. Identifying and measuring risks

Identifying risks applicable tothe businessA robust risk identification system mustbe able to predict all risks and alignthem with the company’s major risks inorder to understand the causes andinterdependencies. It must be regularlyupdated following any significantchange in the risk profile.

The risk identification system (seediagram below) includes two maincomponents:

• A risk map (or ‘heat map’) that isused to classify risks according totheir potential financial impact andtheir probability of occurrence.Financial impact and the probabilityof occurrence must be assessed inthe same way throughout alloperational entities (same risktaxonomy and calibration of impact)and for all types of risk. Equallyimportant is the efficiency of thecollection and update proceduresfor risk data (loss databases).

• A list of major risks that mustinclude the few large-scale criticalrisks to which the company isexposed. Large-scale risks are thosethat could lead to bankruptcy andrequire in-depth analysis in order toidentify their key components(causes, scenarios, impacts, etc.).

Identifyindividuals

withinbusiness units for ownership

of riskregister

Risk investigation:1. Using risk

categorisationmodel

2. Supplementedwith specific

business knowledge

Populatesofware

tool

Review and challenge by RMC

Identify,categoriseand score

risks

Evaluatecontrols

Identifyactions

Risk distributions for use in internal model

Conduct risk andcontrols assessment

(facilitated by risk management)

Management attestation for key risks and

controls

Emergingrisks

Developrisk

registersoftware

tool

Prioritisation

AggregationTransfer mechanism

Risk identification process (one-off)

Riskinformation visualisation

study

Focus groups

Lessonslearnt

Risk mgt

Assessplannedcontrols

framework

Trend analysis of heat map

Internalaudit

Risk assessment process

Risk mgt

Scenario analysis of heat map

Risk mgt

Risk identification process (quarterly)

Loss databases

Record of

1 Diverification benefit

risk events. List of losses, and near misses

Risk heat map

Risk RegisterItems

1 Capital Losses fromInvestmentPortfolio

2 InappropriateInvestmentProcesses

7 InsufficientWorkingCapital

1 Capital Losses fromInvestmentPortfolio

2 InappropriateInvestmentProcesses

7 InsufficientWorkingCapital

Plan and prepare – One-off exercise

Undertake – quarterly process

Risk profile (and qualification) as at…

Risk Type BU1 BU2 BU3 BU7 (DB1) Firm

Nat Cat risk Gl pricing risk

Market risk

Credit

DB1

Total

Risk and Control Heat map

Gro

ss Im

pac

t

5 High 5 10 15 20 25

4 Med/High 4 8 12 16 20

3 Med 3 6 9 12 15

2 Low/Med 2 4 6 8 10

1 Low 1 2 3 4 5

1 Low2 Low/Med

3 Med4 Med/ Hight

5 High

Gross Likelihood

7

2 1

Figure 15: System for identifying risk

Source: PwC


Risk measurement systemsRisk measurement methodologies arecovered by Pillar 1 of Solvency II in thestandard formula that defines themodelling principles for technicalprovisions using best estimates andrequirements for calculating SCR (riskmodule, shocks to be applied,correlation matrix).

Companies may also use an internalmodel that best reflects their specificrisk profile. An internal model canapply the same base to a number ofuses, ranging from solvencyrequirements to embedded value,asset-liability management, profit-testing when creating products, riskappetite or even ORSA.

The internal model is more than just acalculation tool. It is used to measure,control, manage and report on risks.It is at the core of risk strategy and riskmanagement. As illustrated in thefollowing diagram, it is made up ofmethodologies, assumptions(endogenous and exogenous) andconfigurations designed by expertswhich reflect defined policies and applyto internal processes that are specific tothe business. Within an environmentlimited and secured by internal control,the internal model can also be usedto produce a variety of reports designedto meet management’s requirements.In this example, it is used to producethe information used to determineMCEV, economic assessments thatmeasure economic performance or thecompany’s new solvency measures. Inthe future, these models will also servefor evaluating accounting in IFRS underIFRS 4 phase 2.

The internal model plays a pivotal rolein the company's decision-makingprocesses at every step, both inunderwriting contracts upstream and inmanaging underlying risks. Theinternal model, a key component ingovernance, is implemented in linewith the internal control, internal audit,actuarial and risk managementfunctions. However, its implementationmay be costly, especially as Solvency IIprovisions already require considerableresources for insurance and reinsurancecompanies. In such cases, it may seemmore appropriate to apply a standardformula. The use of an internal model isnot mandatory.

Finally, internal models must beapproved by the regulators prior to use.This point is developed in section 2.3.


Bus

ines

s p

roce

sses

Ris

k m

anag

emen

t p

roce

sses

D

ata

pro

cess

es

Out

put

co

ntro

ls

Inp

ut c

ont

rols

Assumption setting

Internal model policies

Change Data Validation

Internal model validation processes

Internal model control framework

Businessplans

Internal model

Other core policies

Use Test

PwC view of internal model scope

Risk &

capital m

gmt

Business p

rocesses

Pricing

Reward

RI purchase

Underwriting

M & A

Strategy

Capital allocation

Business planning

Exposure mgmt

Investments

Solvency monitor

Product dev

ALM

Strategy monitor

ORSA

Process Flow

Internal model processes

Governance

Risk Management

Finance

Actuarial

Executive

Board

Underwriting

ORSA

Risk profile

What if analysis

Cal

cula

tio

n K

erne

l

Man

agem

ent

Info

rmat

ion

Inte

rnal

mod

el in

put

qua

lity

cont

rols

Exp

ert

jud

gem

ent

– as

sum

ptio

n se

ttin

g

Mod

el in

put

dat

a st

ruct

ure

Inte

rnal

mod

el o

utp

ut d

ata

stru

ctur

e

Dis

trib

utio

n re

view

and

con

vers

ion

Inte

rnal

mod

el o

utp

ut c

ontr

ols

Internal model governance

Policysystems

Claimssystems

Assetsystems

Externaldata

Riskuniverse

OpRiskdata

Riskregistration

Aggregations

Counter-party data

Risk transfers

Reserving

Reinsurance

Investments

Validation ofoutputs

Analysis ofchange

Stress &scenarios,sensitivity

testing

Statistical quality & calibration

Methods

Capital (SCR &Ecap)

Balancesheet

(assets & liabilities)

Profit & loss

(Reconcil-iation to accounts)

Figure 16: Internal model scope

Source: PwC


2.2.3. Managing risks

Once the risk strategy is defined, it canbe translated into a risk policyapplicable to all entities or adapted toaccount for country regulations orspecific local markets.

Risk policy is based on theimplementation of governance systemsthat cover at least the following risks:

• Underwriting

• Market

• Credit

• Operational

• Outsourced services

• Internal audit

A governance system is a set ofprinciples and rules established tomonitor and manage risks based on aclear, shared decision-making processand adapted tools. It generally featuresthe following components:

• A set of rules: best practices(industry standards or company-specific practices), toleratedpractices, prohibited practices.

• Delegation of authorityprocedures: any decision that couldsignificantly engage the companymust be approved by at least twopeople at management levels thatcorrespond to the level ofcommitment.

• Pricing and provisioning:profitability target, technical basesused, pricing and provisioningmethodology.

• Risk monitoring: risk indicators,specific risks requiring specificmonitoring, stress tests.

• Tools: documentation, standardand non-standard tools.

An example of policy:Actuarial functionThe first section in this paper discussedthe principles for governance set by theDirective. We understand that theserisk policies are broken down by riskaccording to the modular risk-basedapproach of Solvency II.

How does it work in practice? Let ustake the actuarial function as anexample. This function ‘owns’ theunderwriting risk and is therefore incharge of measuring, managing,controlling and communicating the components of this risk. Theunderwriting risk policy must reflectall of these aspects.

Governance is based on compliancewith principles or guidelinesestablished in accordance with bestpractices recognised by the industry aswell as the company’s internalpractices. These guidelines are appliedas soon as a contract is underwritten,as they set pricing policies in terms ofrisk selection (when possible) andmeasurement of the cost of risk.

For example, in dealing with longevityrisk in annuities, the actuarial functionmay prefer an experience table certifiedby an independent actuary rather thanthe local country regulatory mortalitytables. With more detailed knowledgeof the portfolio, a company may applymortality assumptions that are lowerthan the standard if the type ofpopulation covered enjoys a betterstandard of living and healthcare.

SCR

Adj BSCR

SCRLife

SCROP

SCRDefault SCRIntang

LifeREV

LifeMORT

LifeLONG

LifeDIS

LifeLAPSE

LifeEXP

SCRMarket

LifeCAT

Source: PwC

Figure 17: Risk models for life insurance


2.2.4. Monitoring and reportingon risks

Using risk measurement tools andprocesses, the risk management systemmust produce all the informationnecessary to the relevant managers toensure appropriate and hands-onoversight. Internal and externalreporting structures must be put inplace.

Internal reportingThe purpose of a risk report is tofacilitate risk monitoring by providingnecessary information and analysis ofthe existing and potential risks to whichthe company is exposed.

The content of the risk report must beadapted to its readership:

• Senior Management: the reportpresents, in about ten pages, anoverview of the risks affecting thecompany (the risk map, the three tofive major risks, the marketenvironment, and comparisons withcompetitors).

• The business line or operationalentity: the report covers, in about15 pages, the risks to which thebusiness line or operational entityis exposed.

• Detailed risk report: this document,often about 100 pages or more,provides all the evaluations anddetailed action plans for each risk.

External reportingThese reports are covered in Pillar 3 ofthe Directive. The reporting scope isdescribed in CP58, which includesquantitative and qualitative sections onvarious aspects (accounting,prudential, governance, etc.). Furtherdetails are provided in the followingdocuments:

• Annual Reporting To Supervisors(RTS): notably includes an annualQuantitative Reporting Template(QRT) that provides details on theinformation contained in the RTS.

• Annual Solvency and FinancialCondition Report (SFCR): for themarket, adopts the structure of theRTS without the information forsupervisors.

• Quarterly RTS: mainly includes aquarterly QRT, a concise version ofthe annual QRT.


The necessary convergenceof Risk and FinanceWe have seen that companiesincreasingly tend to plan a specificoperational project on this subject fora number of reasons:

• Technical issues: Companies areconfronted with an increasingnumber of reporting requirements(SFCR and RTS within Solvency II atdeployment, MCEV, IFRS 4 Phase 2,reports to rating agencies, etc.),for which the frameworks are notalways the same. Each companymust ensure that it can cope withthe risks of error in the differentreporting processes (internalcontrol principle), and be able toreconcile and justify the differencesbetween the different reports(differences in method,measurement basis, etc.).

• Operational performance issues:In light of the requirementsmentioned above, many companieswill have to increase the number oftheir closing and reportingprocesses. This gives rise tolegitimate concerns about efficiencyand cost-cutting in these low value-added processes. Several companiesplan to set up a shared datawarehouse that will be updated bysource systems (management,assets, inventory, etc.) and fromwhich data will be extracted in thesame way by different users fordifferent data processing activities.Downstream, these companies tendto organise all market disclosuresfor more consistent communicationand to assure greater control overpublication schedules.

• Strategic issues: As a result ofregulatory pressure, marketpractices are converging towardsthe assessment and managementof risk-weighted performance.In addition to ‘traditional’ financialand operational performance,management systems must producea review of the risk incurred by thecompany to reach these figures, ormore specifically the ‘performance’of the company’s risk-taking. Thisnew approach will undoubtedlyresult in the set-up of projects toconsolidate these systems andoverhaul the management toolsused by general management andshareholder communication. Theseareas are a priority for generalmanagement and policymakers andwill gradually be implemented asthe ORSA processes mature.


2.2.5. Establishing strategiccapital planning

The forward-looking analysis of capitalcould be considered the last deliverablein the risk management process. UnderSolvency II, measuring and managingrisks must enable the company tomaintain its solvency at all times and tostrike a balance between businessobjectives and the amount of riskincurred to reach them. The forward-looking analysis of capital requirementsor strategic capital planning is theprime focus of the ORSA process andmust be carried out in closecollaboration with management.

This process is designed to show that theinsurer can raise the capital necessary tocover solvency margin requirements forthe strategic planning period. For eachbusiness strategy, the insurer simulates alarge number of scenarios in which riskparameters are adjusted to comparesolvency margin requirements andavailable capital. This analysis is carriedout prior to every major strategicdecision (merger, acquisition, launch ofa new business, etc.).

If the analysis reveals insufficientcapital, the insurer must prove that ithas a realistic back-up plan, e.g.:

• A recapitalisation plan

• Transfer of risk (reinsurance,derivatives hedging, securitisation,etc.)

• Limiting of gross exposure(underwriting limits, investmentlimits, etc.), e.g. by adjusting thestrategic configuration (jointventure rather than a new company,and so on)

• Loss absorption mechanisms(participation reserves, call forsupplementary contributions, etc.).

The company must also be able tomeasure the sensitivity of theseanalyses to any deterioration in itscompetitive or macroeconomicenvironment. Along with these capitalplanning analyses, stress tests areperformed to understand theunderlying assumptions, thedeterminants of capital planning and itssensitivity to risk. Stress testing can

notably be used to identify potentialthreats and devise back-up plans toreduce their impact on the company’sfinancial position. Stress scenarios areclearly explained, for example thoseused by EIOPA in 2009 to determine thesolvency of the European insuranceindustry:

• Adverse scenario: 15% to 50%decline in relative value of interestrates depending on maturity,widening of credit spreads, 10% to20% drop in equities, 15% drop inproperty simultaneously with amassive wave of redemptions.

• Deep recession scenario: 40% to60% decline in relative value ofinterest rates depending onmaturity, widening of creditspreads, 40% to 55% drop inequities, 25% drop in propertysimultaneously with a massive waveof redemptions.

• Inflation scenario: 40% to 500%rise in relative value of interest ratesdepending on maturitysimultaneously with a massive waveof redemptions.


Within your Solvency II complianceprogrammes, Pillar 2 provisions willrequire the implementation of certaincross-business ‘sub-projects’. Althoughnot directly required by the regulatoryprovisions, these sub-projects are infact essential from an operationalstandpoint. We shall develop thissubject further here, focusing on alimited number of projects that areclosely linked to Pillar 2 provisions:

• Data quality – Measuring andmanaging risks, then applying themto strategic capital planning requiressignificant confidence in thereliability of the data andcalculation processes used.

• Validation of the internal model –Companies that have opted to usean internal model as of 1 January2013 must take into account themyriad of constraints of the pre-validation process and then the finalvalidation by the regulator.

• Change management – Regulatoryrequirements most often call for amajor organisational transformationand significant changes in practicesthat you will need to understand,calibrate and guide.

• Implementation of ORSA – Thisprocess must show the company’sability to integrate its risk effectivelyinto its management and itsstrategy. Only rarely do companieshave all of the necessary pieces ofthe puzzle in place to meetregulatory principles.

2.3 Managing cross-business projects


2.3.1. Ensuring data quality

Data management requirementsData quality is a key issue in theSolvency II Directive. Following theexample of Basel II, it concerns thecompleteness, appropriateness andaccuracy of the data used to produceregulatory solvency indicators.

The choice between an internal modeland the standard approach does notaffect the management of data quality.As only internal models requirevalidation by the regulator, this optionrequires the greatest compliance effort.The level of quality must be certifiableand verifiable. In other words, thestandards are more or less comparablewith those for an accountant. Theburden of proof lies with the insurer.

In order to comply with the regulatoryrequirements, a distinction must bemade between two aspects of dataquality:

• Static aspect: in which the quality of the data that feeds the modelmust be assured, irrespective ofsource, and

• Dynamic aspect: control of dataextraction, transmission andtransformation processes where thedata comes from managementapplications that are used inactuarial calculation, cash flowprojection engines and in reportingcomponents for the ‘publication’of regulatory solvency indicators.

These two aspects are to be understoodin light of the fundamental purpose ofSolvency II as opposed to the currentsolvency regime, which is based on afixed percentage. The new regimeintroduces sensitivity to insurers’ riskportfolios. Each business line is handledseparately, based on the notion thatfor the same premium, exposure andtherefore capital consumption varydepending on the type of risk.The calculation of solvency capitalrequirements (SCR) is specific to eachbusiness line, as are the tools, controlsand data, e.g., Life, Non-Life, etc.

‘Static’ issues: managing dataThe Directive and several consultationpapers mention the three criteria ofdata quality analysis from a static pointof view:

• Completeness: The data availablecover all the risks in the portfoliowith the same granularity andhistorical depth, whether in directmanagement, delegatedmanagement, coinsurance orreinsurance.

• Accuracy: The data contain no biascaused by human, IT or technicalerror that would make it unfitfor use in calculating a regulatoryindicator.

• Appropriateness: The data issuitable for the intended purpose. Inthe event of any deficiency or lack ofdata, the proxy used is explicitlydocumented and justified in orderto be clearly understood by theregulator.

These principles cover all the data usedwithin the framework of regulatorycalculations, from managementapplications (description of contracts,claims, premiums), asset-liabilitymanagement, accounting (fees,commissions, etc.) or external sources(assumption data, marketing data,shocks, ratings, economic scenarios,macroeconomic data, etc.).

Three main deliverables are prepared inorder to comply:

• The data dictionary, which lists allof the data used in the internalmodel or standard formula. Thisspecific scope of data is where thecompany must show that it cansuccessfully meet the three dataquality criteria listed above.The regulatory authorities requireall insurers to internalise thesethree concepts and adapt them intomeasurable criteria for data quality.This crucial work is to be carried outas the dictionary of data used bythe risk management processes isbeing built. Determining thesemeasurement criteria for dataquality while building the dictionaryby business line and sourceprocess/system is the cornerstoneof two major deliverables, namelythe insurer’s data quality charter orpolicy and the data governancemodel.


• The quality policy for risk datais a fundamental document whichsets out precisely:

– The objectives, scope issues,resources, etc.

– The measurement criteria ofdata quality, aligned with thethree criteria of the Directive(completeness, accuracy andappropriateness) for eachbusiness line.

– The principles for data qualityreview (frequency, depth, scope,retrieval, responsibility).

– The dashboard for monitoringdata quality by business line,notably based on:

• Data and network security

• Data integrity

• Data availability

• Compilation of records

• The risk data governance modeldefines:

– The objectives, scope issues,resources, etc.

– The measurement criteria ofdata quality, aligned with thethree criteria of the Directive(completeness, accuracy andappropriateness) for eachbusiness line.

– The principles for data qualityreview (frequency, depth, scope,retrieval, responsibility).

– The dashboard for monitoringdata quality by business line,notably based on:

• Data and network security

• Data integrity

• Data availability

• Compilation of records

‘Dynamic’ issues: securingtransmission channelsWork on dynamic issues includes thecontrol of the infrastructure andprocesses in risk data management.Most firms have set up data warehousesinto which business data are fed to beused to calculate indicators (economiccapital, MCEV, etc.), technicalprovisions and operational andfinancial management indicators.They are also generally used to updatedata in management dashboardsand accounting/managementreconciliations.

Insurers should concentrate theirefforts on data transmission channels.The source of a Solvency II datachannel is in a managementapplication. The channel integratescomponents from infrastructure andtransformation operations, aggregationand data calculation, through to theintegration of assumptions, shocks,cash flow projection, calculation ofdifferent SCRs and production ofinternal and regulatory reporting. It isan end-to-end process that mustinclude a thorough, documented audittrail. There are virtually as many datachannels as there are source systems.The role of data centres or warehouses

is to concentrate data. The datadictionary is used to align the flowsfrom source systems and reconstitutethe data from a given system ifnecessary so as to ensure perfectconsistency between portfolios,regardless of their source systems.

The other positive consequence is toprevent spreading the businessapproach of applying sourcemanagement throughout the datawarehouse (relational principles,terminology, etc.). The data extractedand transformed are available for alarger number of ‘clients’ and moreeasily meet use test requirements, asstipulated in the Directive.


2.3.2. Obtaining validation of the internal model

As mentioned above, the internalmodel is more than a mere calculationtool; it is a key element in thecompany’s decision-making processes.Whether total or partial, this modelmust be approved by the regulator.A considerable amount ofdocumentation must be drawn up toprove that the model meets theDirective’s requirements.

Validation proceduresThe Directive defines eight tests that acandidate company must pass tovalidate the internal model:

1. Use test:Management mustunderstand the internal model’s riskand capital assessments as afundamental driver in implementingits business plan and strategicdecision-making processes.

2. Statistical quality standards:Assessments must be based onrelevant, reliable, consistent andunderstandable risk factors andrealistic, credible and verifiableassumptions.

3. Calibration standards: Resultsmust be calibrated to a 99.5% VaRover one year.

4. Profit and loss attribution:Companies must regularly checkwhether the risk classification andthe profit and loss attribution intheir models accurately reflect thecauses of profits/losses ofoperational units.

5. Validation standards: Theappropriateness of assessments andunderlying assumptions must betested regularly against data drawnfrom experience. Companies mustalso gauge how sensitive results areto changes in key assumptions.

6. Documentation standards:Regularly updated written recordsmust be kept on the model’s design,operational details, mathematicalbases and underlying assumptions.

7. Internal model governance:The internal model is only approvedif the insurer meets satisfactorygovernance and internal controlstandards.

8. External models and data: Thesetests also apply to third-party(outsourced) data or models.

Organising the validation processIt is important that the company candemonstrate that the model has beenadapted to its business by the decisionmakers, that it is understood andapplied correctly. Basically, it mustshow that the model plays its intendedrole in the governance system. Thecalculation methods used by the modelmust be adequate and based oncredible assumptions. The companymust be able to justify any differencesbetween the underlying assumptionsused in the model and those in thestandard formula. The model mustcover all the risks to which the companyis exposed and its calibration must haveno adverse effect on policyholders’benefits.

The model must allow for the annualanalysis of the business’ profits andlosses broken down by risk categoryincluded in the model. This shoulddetermine the company’s real riskprofile. The model must also bemonitored and approved on a regularbasis to ensure that it remains in linewith the risk profile. This validationprocess, illustrated in the diagrambelow, must show the regulator that thecapital requirements calculated by themodel are in line with the company’sactual risk profile.


The company’s application forvalidation analysed by the regulatormust include all of the above-mentioned items. The applicationshould show that the internal model isthe result of a structured approach andis perfectly integrated and documented.This step in preparing the validationapplication can actually be rathercomplex and should therefore becarefully planned. At its conference on22 November 2010, the ACP offeredsome useful pointers concerning thedocuments it expects in the validationapplication:

• In addition to the application thatwill form the basis of its assessment,the ACP expects all of thesupporting documents to becompletely available and compiledinto a detailed summary.

• For international groups, theworking language is English, but atleast a partial translation of theapplication into French is required.

• The mathematical methodologiesused (assumptions, operationalapplication, configuration,frequency of revaluations) must beclearly described.

• A precise description should beprovided of the model’s governanceprocesses, notably regardingcoordination between subsidiariesand the Group.

• The internal validation policiesfor the model, data managementand enhancements to the internalmodel should be included in theapplication.

The regulator performs the internalmodel validation process in line withthe timing constraints set by theDirective. This process includes apreparation and a pre-validation phase.At the same conference, the ACPindicated the main milestones in itsvalidation timetable:

• Preliminary discussions withapplicants about their model should have been completed by 31 March 2011.

• The regulator expects the companyto submit its internal modelvalidation application (i.e.,documented application that has been approved internally) by 31 March 2012.

Validation tools

Validation scope

Roles and responsibilities

Reporting

Policies forchanging Model

Independent validation

Do

cum

enta

tio

n th

roug

hout

a v

alid

atio

n p

roce

ss

Frequency

Materiality

The reporting process is secured by a series of consolidations in a step-by-step approach. The following points must be clearly defined:– reporting procedures for results of the validation process (including in particular the independent review) – the standard reporting format.

At this stage, it is important to identify:– key ‘validators’ of policies and rules – the roles and responsibilities in the internal model validation process: notably the breakdown between central and local teams and the procedures for the independent review to be conducted in 2013.

Validation rules must define the frequency of the steps in the validation process. Here again, there may be differences depending on the module and/or country concerned.The factors that trigger the ‘OK’ validation or changes to the model must also be identified.

This step covers the inventory of fundamental tools used for validation tests and the mapping of their coverage.These points are important to take into account:– local approaches of subsidiaries where applicable – any reservations or limitations identified during validation.

Management’s required materiality level in its validation policy must also be defined, along with the function of segments. Function of segments (functional and/or geographical) concerned. Requirements maydiffer in terms of materiality thresholds.

The following points must be defined upstream of the validation process:– the scope of the internal model: how was the model defined, using what processes? – the scope of validation principles: is the model covered in its entirety?– proportionality: what parts of the model could possibly be excluded?

Figure 18: Internal model scope validation

Source: PwC


2.3.3. Managing change

Generally speaking, the Solvency IIcompliance project is a fundamental,company-wide programme with animpact at almost every structural level:strategic and decision-makingprocesses, organisation, governance,information systems and, especially,corporate culture. These newoperational procedures require fullinvolvement from all staff as Solvency IIchanges both behaviour (notablyregarding risk) and the way of working.It is vital that resources are planned,scheduled and implemented in order tohelp spread ‘Solvency II culture’ fromthe outset of the project.

Necessary discipline in managingthe programmeA project is referred to as a programmeif it includes several complex sub-projects that must be coordinated.Given the breadth and complexity of allof the Solvency II sub-projects and thenumber of contributors involved inimplementing an efficient cross-business programme, managementstructure is a key factor in theprogramme’s success. It is a pre-requisite for the launch of theoperational projects and covers allrelated responsibilities:

• Coordinating the various projectsrelating to the three pillars andother related projects (e.g, upgradeof the information systems alreadyunderway, enhancement of theinternal control system, etc.).

• Coordinating programmecommunication and training.

• Fostering a ‘Solvency II culture’within the company.

There is no ideal structure; eachcompany defines its own programmemanagement procedures in line with itsspecific constraints, objectives andtimetable. We have provided a genericexample of this type of structure in thediagram below. We would also like topoint out two major factors for itscalibration:

“Governance under Solvency II requires a clearcommitment from all heads of operating units.Change management will be central to ensuringacceptance of methods that are far more bindingthan many risk officers have previouslyexperienced.”

Philippe Léglise, Risk officer, Allianz France


• It must be able to manage variousprojects in the programme and theirinteraction simultaneously (poolingof resources, cross-impact analysisof key choices made for a specificproject, etc.).

• It must closely reflect the existingorganisational structure in place inorder to roll out the culture-relatedprojects and enhancements neededthroughout all Group entities.

The ideal scenario is to create adedicated change management unit tolead and coordinate change. It shouldbe responsible for managing internalcommunication on the programme andthe implementation of the risk culture.It can also oversee, in conjunction withHR, the requirements for training andadditional resources in order tocomplete the various projects.The change management scopeextends beyond just the Solvency IIprogramme scope; instead, it coversall company staff.

Subsidiary coordinator 1 Subsidiary coordinator 3Subsidiary coordinator 2

Group Level

Local Level

Sponsor

Solvency II ProgrammeDepartment

1. Solvency calculations

3. Risk strategy2. Internal models

5. Changes inframeworks and

internal standards

6. Implement.of ORSA

7. Financial reporting and

communication

4. Risk structure/governance

Change management

Risk projectmanagement

8. Industrialisation of period-end

processes

9. Roll-out

Pillar 1 Pillar 2 Pillar 3

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Project coordinator

Contributors

Subsidiary coordinator 4

Figure 19: Example of project structure for Pillar 2 Implementation

Source: PwC


Defining a communication strategyCommunication is fundamental to managing change and bringing about a new corporate culture. The communicationstrategy must take into account the different levels of communication, corresponding to different audiences andrequirements:

1. Solvency II programme Internal communication

2. Group internal communication

3. External communication Corporate and public communication: press releases, annual report, public information, etc.

Regulatory communication: ACP, regulatory reporting

Communication to employees: S2 programme newsletters, general information to all employees on intranet or other media, etc.

Internal communication in S2 programme: progress reports, steering committee meetings,programme committee meetings, project meetings initiated by project managers, documentation base, etc.

Figure 20: Communication strategy

Source: PwC


A global communications strategy is auseful tool in managing the Solvency IIprogramme. Its main objective is topromote the involvement of key playersin the Solvency II programme through

initiatives designed to help themunderstand the requirements of thethree pillars and how they are appliedto each operational level. Thecommunications strategy is often

broken down into communicationplans. The table below is an exampleoutlining the main points:

Communication level Recipients/Target audience Communication channel or medium

Role of the Solvency II Programme management/Change Management Unit

Role of the Communication Department

1. Solvency II programme internal communication

• Everyone involved in Solvency II programme

• Steering Committee members

• Project Committee members

• Bodies specific to each project

• Team meetings, working groups, committees, etc.

• Internal documentation (presentations, training materials, minutes to meetings, etc.)

• Is responsible for and independently manages internal communication programme

• Advises/provides the project with communication tools if applicable

2. Group internal communication

• Directors

• Executive Committee members

• Management Committee members

• Programme progress reports, general and/or technical information (e.g.v training material)

• Option of dedicated page/portal on intranet

• Proposes the format

• Approves content and messages

• Is responsible for distribution

• Checks and approves the consistency of messages and format

• Manages communication tools

• Is responsible for announcement/publication

• All Group employeesin the broad sense

• Slovency II programme newsletters, general information to all employees on intranet, etc.

• Programme presentation material

• Proposes content and contributes to formulation of messages

• Checks and approves the consistency of messages and format

• Is responsible for announcement/publication

3. External

communication

• General public

• Group clients

• Press releases, annual report, public information on Group website, press conferences

• Proposes content and contributes to formulation of messages

• Approves content, messages, format with GM

• Is responsible for

• ACP

• European supervisors (CEIOPS, etc.)

• Reporting on progress, ACP requirements, participation in industry-wide discussions and working groups, etc.

• Approves content, messages with other departments concerned (Technical Department, Finance Department, etc.)

• Is responsible for announcement/ publication through ACP representative

• Is systematically informed prior to any announcement/publication

v

Figure 21: Example of communication plan

Source: PwC


Managing changes inhuman resourcesHuman Resources is the second criticalarea of change management. TheHuman Resources department iscritical to the programme’s success,given the important role played bymany of the functions within its remit:

• Training: Develop employees’business expertise and provide themwith the technical knowledgerequired to perform their duties in aSolvency II environment.

• Recruitment: Attract externalexpertise that the company does notcurrently have and foster loyaltyamong these experts, taking intoaccount the high-pressureenvironment for some profiles(actuaries, risk managementspecialists, etc.).

• Knowledge management: Identifythe technical and managerialexpertise which needs to bedeveloped in the Solvency IIenvironment and coordinate thetransition.

• Management of individualperformance: Foster and guidechanges at the most basic level ofthe organisation.

Training contributes considerably todeveloping employee expertise, notonly during the project phase but alsofollowing the implementation of theDirective. This includes training on thecontent of the regulation itself (e.g. thethree pillars of the Directive, the CPs,QIS 5) and risk management. It isexpected that training on the new risksto be taken into account by insurers willbe requested most often:

• Market risks

• Credit risks

• Operational risks, and so on.

Similarly, a sharp rise in requests fortraining on financial techniques andproducts is to be expected fromemployees involved in technical, risk orfinance processes or even otherbusiness lines.

In order to promote a risk culture, a keyissue in Pillar 2, both technical trainingfor professionals and ‘awareness’training aimed at all company staff areessential. The latter type of trainingmust focus on presenting the Directive’smain concepts, what they mean for thecompany and the insurance industry,and the changes to expect in theinsurance profession.

One of the ways to accelerate learningabout Solvency II in the company is toencourage its rapid adoption amongoperational managers. They must be atthe heart of training and should be

among the first informed and trained.They should in turn be able to traintheir teams, at least in the areas thatdirectly concern them. This is the ‘trainthe trainer’ model. Solvency II traininghas been an extremely important issuein 2011 and will continue to be in 2012.HR managers should already bedefining needs and assessing theirimpact on training budgets.

In terms of knowledge management,companies with a strategic workforceplan should also take into account theexpected changes in employees’expertise very early on. Expertise(current vs. target) must be entirelyremapped. Any gaps must be closedthrough both training and hiring,meaning that recruitment needs for2012-2013 must be identified rapidly,as some profiles, such as actuariesor asset-liability managers, areparticularly difficult to find.

Finally, performance management isalso important in stepping up change.In order to advance their complianceto Solvency II, companies may planto set specific targets for managers,e.g., on implementing Pillar 2 (ORSAimplementation, formal definition ofprocesses, identification of risks andcontrols, etc.), either in newassignment letters or annualperformance reviews.

A portion of performance-related payshould depend on meeting these targetsin order to boost motivation.


2.3.4. Implementing ORSA process

ORSA implementation follows a five-step process that is integrated into thecompany’s risk management:

• Risk identification

• Risk appetite

• Strategic planning

• Stress testing

• Capital allocation

Activating this process affects everylevel of the company, following either atop-down or bottom-up approach:

• From senior management tooperational units: definition ofcompany strategy, risk appetite,capital allocation to business lines.

• From operational units to seniormanagement: risk identification,measurement of the risk profile,risk reporting.

“ORSA is set to be a strategic management andoversight tool for the insurance business. Thebenefits it brings will be closely linked to theflexibility of its operational implementation.”

Sébastien Simon, Head of the Solvency II Programme, SociétéGénérale Insurance


The following dynamic diagram provides an overview of the ORSA process over the budget period:

Coordinating and industrialisingthe ORSA report with Pillar 3 riskreports

Directive Articles 35 and 50 and CP 58stipulate that the ORSA reportsubmitted to the regulator must containquantitative and qualitativeinformation that is also included in thereports (RTS and SFCR) required underPillar 3.

Top-down risk ID

Top tierrisks agreed

Risktemplate

Risk aggregation

and prioritisation

ProposedTop tier

risks

‘Deep dive’risk

assessment

Agreed andadopt risk Policy

Bottom-uprisk ID

Redefine risk controlling, mitigation plan process and

reporting requirement

Day-to-day operational

implementation

BoardRisk

AppetiteVision

RiskAppetite

Statement

RiskAppetite

assessment

Strategicaspiration

Facilitate strategic

financial plan

Agree plan

Sign-off

Agree stress scenarios

Reviewstress

scenarios

RiskAppetite

monitoring

Quarterlyreporting /

steering

Quarterlyreporting /

steering

M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M1 M2 M3M1 M2 M3 M4 M5 M6 M7 M9 M10 M11 M12 M1 M2 M3

ExecutiveCommittee

RiskCommittee

RiskFunction

Finance Function

BU 1

BU 2

BU 3

BU 4

BU 5

Function FacilitateTake decisions

ExecuteIterative process

Strategic planning

Risk appetiteQuarterly steering

Risk identification

Stress testing

Legend

Proposed top-down

risk ID

Risk identification

(ID)

Risk identification

(ID)

3-yr strategic

target setting

Define stress scenarios

(input from BUs)

Bottom-up strategic financial

plan

Stress-test of plan / capital planning

Capital allocation

to BUs

Capital allocation

to BUs

BUs stress-testing

Risk-adjusted

performance measures -

tools and techniques

Risk-adjusted

performance measures - aggregation

Risk-adjusted

performance measures - calculations

M8

Figure 22: ORSA process (throughout the budget process)

Source: PwC


Conclusion

Operational implementation requiresdeep-seated change in terms ofboth organisation and businessmanagement. Launching projects suchas these requires careful attention toa few key concepts underscored bythe Directive.

‘Risk appetite’ must be defined anddocumented with respect to thebusiness goals. The same applies tothe company’s ‘risk culture’, i.e.,acceptance by staff of a clearly mapped-out risk profile and strategy. The thirdkey to ensuring operational compliance

is the choice of which organisationaland governance models to use for therisk management process. Whichdecision-making model should beimplemented? To whom shoulddecision-making and control powers be assigned? How should the riskfunction be scoped?

These decisions will pave the wayfor the interpretation and adaptationof the principles of Pillar 2 based onyour organisation, its specific set-upand its commercial strategy.


Overall Conclusions

Of the three pillars of the Directive, Pillar 2 is undoubtedlythe most important and complex to implement because itrequires companies to place risk management at the heartof their operational business models.

As we have explained throughout this paper, it involvesthe introduction of a new standard framework for riskmanagement that must now form an integral part of allmanagerial functions. Above all, Pillar 2 implies makingdifficult decisions related to configuring and adapting theoperational application of this framework at all levels ofthe company – organisation, control, governance, relationswith ‘suppliers’, and so on.

The tools and framework, together with the ERM approach,serve to align company strategy with the risk accepted andtaken on by management and operational staff. Under thisPillar 2 approach, the risk function becomes the cornerstoneof the risk management system.

Implementing a risk culture, another key issue in Pillar 2, isalso critical to meeting compliance objectives and ensuringthat they are both operational and effective. Companies willbe aided in this endeavour by two main drivers:communication and human resources.

Pillar 2 also represents a radical change for many companiesin the insurance sector. Except for large groups, manycompanies have not changed their structure or operationalprocesses for several years. The Solvency II Directive providesan excellent opportunity, particularly in a climate ofeconomic crisis, to optimise company management andincrease operational efficiency in all functions by definingand streamlining processes, upgrading information systemsand tools, building staff knowledge, and so on.

In the same way, implementing ORSA also offers a numberof opportunities by prompting insurers to optimise theiroperational performance over a strategic three- to five-yeartimeframe, ensuring that the company’s capital is in line withits risk profile and business ambitions. ORSA is destined tobecome a key instrument for strategic management.

This expected enhancement of operational performanceshould, in the long term, largely offset the significantimplementation costs of compliance with the Directive,especially Pillar 2.

The results of the PwC 2010 pan-European study onpreparations for Solvency II demonstrate that insurers seemto be coming to terms with the challenges involved inimplementing regulations that place risk governance at theheart of their business.

Contacts

Thank you to our contributors • Sébastien de la Lande• Dominique Daijardin• Antoine de la Bretesche • Pierre-Antoine Duez• Stéphanie Artigaud• Benoît Germain• Rémi Saucié• Nicolas Simon

Marketing contact • Elodie Coquerel+33 1 56 57 85 [email protected]

Eric DupontFrance Insurance Leader+33 1 56 57 80 39+33 6 08 90 64 [email protected]

Jimmy ZouFrance Solvency II Leader+33 1 56 57 72 13+33 6 74 27 34 [email protected]

Quoc Nguyen DaoDirector+33 1 56 57 57 14+33 6 74 32 19 [email protected]


www.pwc.com/solvencyIIPwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who arecommitted to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy orcompleteness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability,responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for anydecision based on it.

© 2012 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopersInternational Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act asagent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of itsmember firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions ofany other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.

pillar 2: operational issues of risk management

Economy & Finance