Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

Transcription

1 Responsibilities, interfaces and outsourcing under Solvency II Author Lars Moormann Contact solvency January Münchener Rückversicherungs Gesellschaft Königinstrasse 107, München, Germany Order number With the introduction of Solvency II, European insurance companies will have to meet a large number of new requirements. Apart from the quantitative requirements in the first pillar and the disclosure obligations in the third, the second pillar contains extensive requirements relating to the way insurers organise their business. Article 41 of the Solvency II Directive stipulates that companies must have an effective system of governance in place to provide for sound and prudent management of their business. Though this requirement and other provisions will not fundamentally change the current system of governance, additional requirements will have to be met. Under Solvency II, insurance companies will have to have in place the following four key functions: Risk management function Compliance function Internal audit function Actuarial function Function is defined as the internal capacity to undertake practical tasks. 1 The functions will in turn have to satisfy a range of requirements, such as fulfilling the fit and proper requirements, comply with certain reporting requirements and be in a position to perform their tasks and exercise the authorities given to them. 1 Solvency II Directive, Article 13 (Definitions), paragraph 29. This Knowledge Series provides an overview of the requirements in Articles 41 to 49 of the Solvency II framework directive that will apply to the four future key functions and describes their tasks and responsibilities and the outsourcing possibilities on the basis of the state of the debate as at the end of The information provided is essentially based on the framework directive and more detailed descriptions in Level 2 and 3 papers. For ease of reading, references to sources are made in the text only for certain important points. Some adjustments may be necessary as Solvency II continues to develop. System of governance and key functions Recital 30 of the Solvency II Directive requires European insurance companies to set up the above mentioned four key functions (risk management, compliance, internal audit and actuarial functions). Function does not necessarily mean a specific person or department. A company is free to decide on its own structure functions may be centralised or decentralised, independent or integrated. Recital 32 specifically mentions the possibility of concentrating several functions in one person or one unit. It is important for guidelines to be prepared to clearly document the tasks and the positions/ people responsible for performing them. Functions must be able to fulfil their responsibilities objectively, fairly and independently, so that, for ex ample, the internal audit function can only be performed by an independent unit. 2 2 Recital 32 of the Solvency II Directive.

2 Page 2/8 Table 1: Articles in the Solvency II directive relevant to the system of governance Article 41 Article 42 Article 43 Article 44 Article 45 Article 46 Article 47 Article 48 Article 49 General governance requirements Fit and proper requirements for persons who effectively run the undertaking or have other key functions Proof of good repute Risk management Own risk and solvency assessment Internal control Internal audit Actuarial function Outsourcing Fig. 1: The three lines of defence in the governance system Risks The Articles listed in Table 1 define the main requirements and responsibilities of the key functions, which we briefly describe below: According to Article 41, the tasks, responsibilities, processes and reporting obligations of the four key functions must be transparent and clearly defined. At least for risk management, internal control, internal audit and outsourcing in general, there must be written guidelines, and compliance with them must be assured. Furthermore, there is expected to be regular communication between the Board and the Management Responsible for risks and controls 1st line of defence: operational units Identification, analysis, assessment and management of risks on a day-to-day basis 2nd line of defence: risk-management function, actuarial function and compliance function Monitoring of risks and operational and central divisions 3rd line of defence: internal audit Independent of operational units and 2nd line of defence; responsible for performance of internal controls The functions must have clearly segregated responsibilities, though there will inevitably be some overlaps, and where they occur the distribution of tasks and responsibilities must be clearly defined and documented. key functions, the latter communicating independently with the relevant departments at the company. Article 42 sets out the requirements for persons in charge of key functions. To comply with the fit and proper requirements, they must have appropriate professional qualifications and be of good repute and integrity to guarantee sound and prudent management of the company. The principle of proportionality is not applicable to this requirement. Companies must prepare a fit and proper guideline, in which the procedure for assessing suitability for a key function is documented. The fit and proper requirements for key functions stipulated in Articles 42 and 43 can be summarised as follows: Professional qualifications and practical experience in the function concerned Analytical skills and competence in solving problems Ability to communicate with people at all levels in the company (irrespective of their position in the hierarchy) Irreproachable certificates of good conduct and reputation Articles 44 to 48 of the Directive concentrate on the responsibilities of the four key functions. The four key functions in detail The establishment of the four key functions for Solvency II will bolster the three lines of defence structure. As shown in Figure 1, the front-line operational units are responsible for the initial acceptance or decline of a risk. The risk-management, actuarial and compliance functions form the second line, regularly monitoring and managing all of the risks at aggregated level and controlling the underwriting guidelines and acceptances in the operational units. As the third line of defence, internal audit regularly reviews the entire system of governance and all other activities in the company. Risk-management function According to Article 44 of the directive, the risk-management function, like the organisational structure and the decision-making processes, shall be structured in such a way as to facilitate the implementation of the risk-management system.

3 Page 3/8 By risk-management system, Solvency II means the strategies, processes and reporting procedures necessary to continuously identify, measure, monitor, manage and report incurred and potential risks and their interdependencies at an individual and at an aggregated level. The risk-management system should cover at a minimum the following areas: Risk assumption and reserving Asset-liability management (ALM) Investments, especially derivatives Management of the liquidity and concentration risks Management of operational risks Reinsurance and other risk-mitigation techniques The core tasks of a risk-management function thus comprise the following: Overall coordination and control of the risk-management tasks Measurement and assessment of the overall risk situation, including early identification of potential future risks Reporting to the Board The risk-management function is responsible for producing correct guidelines for the development of strategies and processes for identifying, measuring, monitoring, managing and reporting risks at a company. It is also responsible for calculating the solvency capital requirements, the agreement and management of the risk profile, the appropriate consideration of interactions between different risk categories and the identification and systematic integration of emerging risks. In addition to coordinating the overarching risk-management activities, the risk-management function should also identify potential risks and recommend appropriate countermeasures to the Board. The risk-management function also has reporting responsibilities: relevant risks must where appropriate be represented qualitatively and quantitatively and internally and externally, and all significant risks classified and shown as an exposure figure. Besides that, the function must report to Board on the effectiveness of and any shortcomings in the riskmanagement system, and on the ORSA 3 results (e.g. the development of risk capital in the coming years). The risk-management function shares responsibility for the risk strategy and determination of the risk distribution, and prepares the documentation needed by the Board to enable it to take the necessary decisions (e.g. on risk appetite). If a company uses an internal model or partial model to calculate its risk capital requirements, the risk-management function has additional significant responsibilities pursuant to Article 44, paragraph 5 of the directive, including the design, implementation, validation and operation of the internal model. In addition to the above-mentioned fit and proper requirements, the risk-management function will no doubt have to include people with a professional scientific and mathematical background, ideally backed up by appropriate qualifications (e.g. actuaries). Compliance function Article 46 of the directive sets out the requirements for the compliance function, which is a component of the internal control system and is responsible for compliance with that system. An internal control system must incorporate at least the following three areas: Administrative and accounting procedures Internal control framework Appropriate reporting arrangements at all levels in the company In addition to supervision of the internal control system, the compliance function has the following three core areas of responsibility: Risk control Early warning Provision of advice to management According to the implementing measures, the function is responsible for risk control, i.e. the identification, assessment, monitoring and reporting of compliance risks. Compliance risk is defined as the risk of incurring legal or regulatory sanctions, significant financial loss or damage to reputation resulting from the company s failure to comply with laws or regulations. Any violation of the law at a company must be investigated and followed up by the compliance function and reported to the Board, and in certain circumstances to outside bodies such as the financial supervisory authority. To enable it to fulfil its responsibility to provide early warning of problems, the compliance function must consider possible future changes in the legal environment and their potential effect on the company. This also includes the compliance plan to be produced by the compliance function mentioned in Guideline 41 of the framework directive, which should cover as a minimum the compliance risk and the legal-changes risk for the following financial year. 3 Own Risk and Solvency Assessment.

4 Page 4/8 Another key responsibility of the compliance function is to advise the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to the Solvency II framework directive, as stated in Article 46, paragraph 2. The advice should include the preparation of rules, including the training of staff in compliance with legal requirements. The compliance function should also provide operational areas and the risk-management function with support on legal requirements when new products and services are to be launched or when the company intends to enter a new market. In summary, the compliance function is first and foremost concerned with monitoring and controlling compliance with and application of laws and regulations from an internal perspective, with particular attention paid to the management of operational risks. This function is not the same as that of a traditional legal department, which tends to concentrate on operational tasks rather than providing advice or having prevention and control responsibilities. In addition to the fit and proper requirements described above, the compliance function will have to include staff with a legal background. Internal audit In contrast to the other key functions, internal audit is a function that is not permitted to undertake either operational tasks or the tasks of other key functions. According to Recital 32 of the framework directive, the independence of internal audit must be guaranteed. It constitutes the third of the three lines of defence. The responsibilities of the internal audit function are set out in Article 47 of the framework directive. They include the evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance. The resultant findings and recommendations must be the subject of reports. The core tasks of internal audit are: audits and reporting In principle, all of a company s activities are subject to internal audit. Under Solvency II, the emphasis will be on auditing the operation, effectiveness and appropriateness of the system of governance, with the internal control system as an integral part thereof being explicitly mentioned. The internal audit function must conduct its audits and communicate its findings in a totally objective manner, and not be subject to any instructions from any other department or function. The areas to be examined by the internal audit function are laid down in the implementing measures: Effectiveness and efficiency of processes and controls Compliance with rules and instructions and requirements relating to risk controls and operational capability (including reliability, accuracy and completeness) Timing and frequency of reports (including external reporting) Availability and reliability of IT systems Internal audit should prepare an audit plan based on its own risk assessment of the entire system of governance and ensure that all significant activities are audited at appropriate intervals. Internal audit may well request other units to provide reports or opinions on the internal controls to be performed. The actual performance of the audits and the assessments given are the sole responsibility of the function itself, which must act on its own initiative and not be subject to external influence. The function is permitted to advise other units on controls to be performed provided that the giving of such advice does not jeopardise its independence. To avoid conflicts of interest, Guideline 43 of the implementing measures recommends that the function s staff be rotated at appropriate intervals. Internal audit work should be documented in working papers. A written report on every audit should be provided as soon as possible to the audited unit and in summary form to the Board. Pursuant to Guideline 47 of the implementing measures, internal audit should report possible shortcomings and recommend remedial action with deadlines for completion specifying the persons responsible. The function should also monitor rectification of the shortcomings. The Audit Report, to be produced at least annually, should contain information on internal audit s achievement of its objectives and the degree of completion of the audit plan. Since the internal audit function is responsible for reviewing all parts of the system of governance and hence the other key functions, it is difficult to provide a clear definition of the fit and proper requirements. It is advisable to include a broad spectrum of skills and experience, where appropriate outsourcing certain activities or using specialists from inside or outside the company if the required knowledge is not available within the internal audit function, though, of course, it is necessary to ensure objectivity if staff from elsewhere in the company are used. Actuarial function Article 48 of the Solvency II framework directive requires companies to have an effective actuarial function. This function will have a wide range of responsibilities, which can be broken down into three core areas: Coordination and monitoring of the evaluation of technical provisions, including methodology, assumptions and data Reporting Supporting the risk-management function According to the implementing measures, within the actuarial function there must be a clear separation of responsibilities and appropriate

5 Page 5/8 controls for the evaluation of the technical provisions. The function is not responsible for calculating the technical provisions, but for coordinating the calculation process and assessing the methods, tools and data used for the evaluation. One of the main tasks of the function is to coordinate and monitor the appropriateness of the methodologies and models used to calculate the technical provisions. The function s responsibilities can be summarised as follows: To understand the individual model components, their interdependencies and the way the model depicts and takes account of the resultant diversification effects To develop and regularly review the reserving methodology (stochastic simulation, deterministic approach, etc.) To compare the current assumptions with those for the previous year and those for the previous year with the actual figures to calculate the technical provisions (best-estimate comparison), and identify the reasons for the variances To express an opinion on the reserving and the underwriting guidelines (e.g. the consistency between the underwriting guidelines and pricing, or the financial effect of changes in the general business conditions) To express an opinion on the reinsurance covers, to include a review of the consistency of the reinsurance programme with the company s risk appetite, the impact of a cover on financial volatility and the effect of covers under a range of stress scenarios (e.g. a catastrophe event or the reinsurer s financial strength being inadequate) To analyse the interdependencies between reinsurance programmes, reserving and the underwriting guidelines To analyse the appropriateness of premiums and the technical provisions, taking account of changes in the underwriting strategy or the market environment (e.g. inflation risks or legal changes) To take account of relevant market information To express an opinion on the main risk factors and their influence on profitability in the next financial year To assess and validate the appropriateness, quality and completeness of the (internal and external) data and IT systems used Due to the types of task to be performed by the actuarial function, it is likely that it will have to provide considerable support to the risk-management function by supplying actuarial expertise. In particular, it will be necessary for it to help with the calculation and modelling of the underwriting risks and contribute actuarial methodology to the calculation of capital (own funds) and risk capital requirements. As mentioned above, the actuarial function will also be required to give its opinion on the effectiveness of the reinsurance covers. This will concern a number of areas. In addition to the effect of reinsurance on risk capital, diversification and the economic balance sheet, it will also be important to assess the expected development of business and the ensuing need for reinsurance cover in the following years. Where internal models are used, the function will be required to perform in-depth analyses of and express its views on their design and use. In this area in particular, it will need to work closely with the risk-management function to ensure consistency between reserving and the calculation of the risk capital requirement. It will also be necessary for the actuarial and risk-management functions to work together on certain parts of the ORSA, especially the confirmation that the technical provisions have been calculated in accordance with the Solvency II requirements. In the reporting area, the actuarial function will be required to communicate regularly with the Board and advise other units on technical provisions. It must submit an annual report to the Board essentially covering the results of the above-mentioned activities. On the basis of this report, the Board should be in a position to form an opinion on the appropriateness of the calculation of the technical provisions, the underwriting guidelines and the reinsurance guideline. The report should also provide detailed explanations of changes in the assumptions and the reasons for the changes (best estimates compared to experience values). An assessment of the reserving, the underwriting policy and the reinsurance cover and the interaction between them is also required. Possible weaknesses and deficiencies in all the areas mentioned must also be reported with recommendations for rectification. Deficiencies can be due to a lack of expertise or specialist knowledge (e.g. in the case of new and complex products). Considering the responsibilities of the actuarial function, it is clear that, in addition to satisfying the fit and proper requirements, its staff must have in-depth actuarial and mathematics knowledge. The new function will have to undertake more tasks than the function of designated actuary that currently exists at companies, (e.g. analysing the effect of reinsurance solutions), so that some training and preparation will be required. Companies must ensure that the actuarial function is able to perform its tasks objectively, appropriately and independently. This means, for example, that there must be a clear separation of responsibility for calculation of the technical prov isions and the monitoring of that calculation, with different reporting lines.

6 Page 6/8 Interfaces between the key functions It is evident the will be some overlap between the four key functions. Since companies will be able to tailor the structure of the functions and their precise tasks to their own business and risks, this Knowledge Series will provide only a brief overview of the evident interfaces. As with the organisational structure, companies themselves have to define the separation of responsibilities in their guidelines. To ensure that the system of governance is appropriate and effective, the key functions should work closely together and there should be a regular exchange of information. Figure 2 shows the core tasks of the four key functions, the interfaces between them, and the different focuses the functions concerned have for each interface. For example, the compliance function is responsible for monitoring compliance with all laws and supervisory regulations. Not shown in Figure 2 is the compliance function s responsibility for checking that the other key functions are working properly. An interface with the risk-management function is the compliance risk, which is an operational risk. Via the internal control system, the compliance function has a preventive role of avoiding violations and following up any potential infringements, whilst the risk-management function is responsible for analysing and assessing the compliance risk as an operational risk and taking it into account in the overall risk profile and risk-management process. We have already considered the many interfaces between the riskmanagement and actuarial functions in the Actuarial function section above. They result mainly from the support received by the risk-management function from the actuarial function, which provides data (e.g. cash flows) for the risk modelling used by the risk-management function to calculate the risk capital requirements or in calculations performed for the ORSA. Thus, it is essential for the two functions to work closely together to guarantee, for example, consistency of methodology and models. Moreover, the riskmanagement function may itself request assistance with methodology from the actuarial function. Not only these two functions are expected to provide opinions on underwriting and acceptance policy and reinsurance treaties the internal audit function is expected to do so too. However, the three functions have different focuses: Risk-management function: analyses the impact of each area on the company s overall risk situation. Actuarial function: considers in particular the interdependencies between the underwriting and acceptance policy and the reinsurance contracts, and the implications for reserving. Fig. 2: Interfaces between the four key functions Actuarial function Appropriateness of assessment; interaction Review of assessment process; opinions on underwriting and acceptance policy and reinsurance contracts Proper performance of internal controls Internal audit Help with risk modelling/data Actuarial appropriateness of assessment and methodology In context of audit plan Monitoring and audit Appropriateness and effectiveness Opinion on underwriting and acceptance policy and reinsurance contract Risk analysis; risk control of first line of defence Mutual audit and monitoring Requests for methodological support Measurement/ assessment of overall risk situation In context of overall risk situation Monitoring of laws and regulations (compliance risk only) Preventive; measures to prevent violations Risk-management function Analysis and assessment Compliance risk as operational risk Avoidance/follow-up of v iolations Compliance function Interfaces Core task

7 Page 7/8 Internal audit: checks the operational capability and effectiveness of the internal control system with reference to the assessment and decision-making processes. Since all four functions have a direct reporting line to the Board, there should be regular exchange of information to ensure consistent communication, though assessments may not always be the same and there can be differences of opinion. Efficient and consistent communication will be facilitated by uniform definitions and materiality thresholds, the latter being especially important for the identification and assessment of significant risks. Both the internal-audit and risk-management functions are responsible for monitoring the operational effectiveness of the risk-management system and identifying potential risks at an early stage. Monitoring by the riskmanagement function is directed primarily at the operational units in the first line of defence, whilst internal audit is concerned with both the first and second lines, the latter including the risk-management function itself. Use of the monitoring results or reports of one function by the other with no check or analysis of its own is therefore not permissible, as the separation of the functions would not then be assured. Once the functions are actually working in practice, more interfaces not shown in the diagram will doubtless become apparent. It will then be the Board s responsibility to define, document and communicate a clear segregation of duties. Outsourcing In principle, any task and function may be outsourced to a service provider under Solvency II. According to paragraph 28 of the definitions in the framework directive (Article 13), outsourcing for the purposes of Solvency II means an arrangement of any form between an insurance or reinsurance undertaking and a service provider, [ ] by which that service provider performs a process, a service or an activity, [ ] which would otherwise be performed by the insurance or reinsurance undertaking itself. The one-off use of a service provider for a short period of time ( specialist consultant ) is not deemed to constitute outsourcing. A company must itself decide whether performance of a service by a provider constitutes outsourcing. A company may select service providers that are: part of the group to which the company belongs or outside it, inside or outside the EU, supervised or not supervised. The outsourcing of individual tasks to be performed by the four key functions is thus permitted, as is the outsourcing of an entire function to a service provider, provided that the requirements laid down in Art icles 39 and 49 are satisfied. Companies using an external service provider will remain fully responsible for discharging all of their obligations 4 gunder the Directive. Special requirements and additional reporting obligations apply to the outsourcing of critical and important functions. Any company outsourcing a function must appoint an internal member of staff to continue to be responsible for the function. The person concerned must be named in a written work instruction and will be required to verify performance of the outsourced tasks and the quality of the service provider s work. In addition, a named person at the service provider must satisfy the fit and proper requirements applicable to the function. The selection process, the terms of contracts with service providers, the day-to-day working arrangements and emergency plans required should be documented in a guideline. A formal agreement clearly defining the rights and obligations of the company and the service provider is also required. The supervisory authorities will expect to see the following conditions in an outsourcing contract: 5 Service provider to cooperate with the supervisory authorities The company, its auditors and the supervisory authorities to have access to relevant data at the service provider Supervisory authorities to have effective access to the service provider s business premises This means that the service provider s processes, employees and data may be subject to on-site audit by the supervisory authorities at any time. Such audits will verify whether the service provider is capable of assuming the function transferred to it to a satisfactory standard and whether there are any conflicts of interest. Article 49 of the directive stipulates that critical or important operational functions may not be outsourced if outsourcing would lead to material impairment of the quality of the system of governance; an undue increase in the operational risk; impairment of the ability of the supervisory authorities to monitor the compliance of the undertaking with its obligations; continuous and satisfactory service to policyholders being undermined. These points must be monitored at the company by the risk-management function and through the intern al control system. A company must notify the supervisory authorities in a timely manner of any intended outsourcing or changes in outsourcing arrangements. Level 3 defines in a timely manner as at least six weeks in advance. 4 Solvency II Directive, Article 49, paragraph 1. 5 Solvency II Directive, Article 38, paragraph 1.

8 Page 8/8 Outsourcing enables companies to meet the requirements of Solvency II regarding the key functions without making major changes to their own structure or employing additional staff. There is no doubt that there are differing prerequisites for outsourcing the functions. It is very important for the risk-management and compliance functions to be close to the operational units and central divisions of a company. For the actuarial function in particular, outsourcing certain tasks can be an attractive way of meeting the wide range of requirements. In the main, consultant actuaries or reinsurance companies are appropriate external service providers in this area. Reinsurers subject to Solvency II are obliged to set up the same key functions and meet the same requirements. They have in-depth and wideranging actuarial expertise, as it is of core importance to their own business. Munich Re already offers numerous services and specialist consultancy to help companies with the Solvency II requirements. Many of Munich Re s centralised services and tools are ready for Solvency II. These include, for example, biometric portfolio analyses and underwriting services in the life segment as well as risk-assessment and pricing tools, also in the health and property/casualty segments. Conclusion The establishment of the four key functions for Solvency II should not merely be considered as a regulatory requirement, but also as a way of optimising a company s own system of governance, thus having a positive effect on processes and decisionmaking. Introduction of Solvency II will make a number of changes to companies systems of governance necessary. The responsibilities laid down in the framework directive and defined in the Level 2 and Level 3 papers are likely to lead to an increase in the activities of the functions concerned. It will be particularly challenging for companies to ensure efficient interaction between the four key functions while establishing clear separation of responsibilities, and in practice they will need time to prepare for it. Application of the principle of proportionality will give them a degree of discretion in their structures and processes. There is therefore no catch-all standard that would meet all of the regulator s requirements if implemented. On the contrary, a company s specific circumstances must be taken into account, which presents both a challenge and an opportunity. Munich Re is the right partner for companies intending to exploit that opportunity. We provide insurers with support in adapting to Solvency II and offer them services that are targeted at helping them comply with the new requirements. In addition, we offer consultancy and workshops to help companies prepare for the Solvency II Pillar 2 requirements. Not if, but how