Solvency II Achieving benefits beyond compliance. An Enterprise Risk Management approach to implementation of Pillar 2

Similar documents
CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Implementation of Solvency II: The dos and the don ts

Solvency II overview

Positioning the internal audit function within the Solvency II framework Key challenges. Ludovic Bardon Senior Manager Audit Deloitte Luxembourg

Solvency II Own Risk and Solvency Assessment (ORSA)

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

ORSA - The heart of Solvency II

ORSA for Insurers A Global Concept

EIOPACP 13/09. Guidelines on Forward Looking assessment of own risks (based on the ORSA principles)

Financial Services Industry Solvency II How to conduct the ORSA Requirements, EIOPA responses and Industry views

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

Solvency II Own risk and solvency assessment (ORSA)

Insurance Groups under Solvency II

Final Report on Public Consultation No. 14/017 on Guidelines on own risk and solvency assessment

ENTERPRISE RISK MANAGEMENT FRAMEWORK

This section outlines the Solvency II requirements for a syndicate s own risk and solvency assessment (ORSA).

Solvency II for Beginners

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

EIOPACP 13/011. Guidelines on PreApplication of Internal Models

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

EIOPA-CP-11/008 7 November Consultation Paper On the Proposal for Guidelines on Own Risk and Solvency Assessment

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Solvency ii: an overview. Lloyd s July 2010

How to achieve excellent enterprise risk management Why risk assessments fail

Solvency II and key considerations for asset managers

Industry Briefing on Central Bank Guidelines on Preparing for Solvency II

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

Consultation Paper CP43/15 Solvency II: external audit of the public disclosure requirement

System of Governance

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

Central Bank of Ireland Guidelines on Preparing for Solvency II Pre-application for Internal Models

The APRA Supervision Blueprint

Own Risk and Solvency Assessment

Solvency II. Solvency II implemented on 1 January Why replace Solvency I? To which insurance companies does the new framework apply?

2015 Trends & Insights

RISK BASED INTERNAL AUDIT

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Own Risk and Solvency Assessment

Introduction to Solvency II

Enterprise Risk Management A View. Clive Kelly CRO Zurich Insurance plc/zfs Europe (GI)

Risk management systems of responsible entities

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Deriving Value from ORSA. Board Perspective

Transforming risk management into a competitive advantage kpmg.com

Solvency II model assurance. 12 April 2012

Consultation Paper CP22/16 Solvency II: Monitoring model drift and standard formula SCR reporting for firms with an approved internal model

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Solvency II in practice. Speaker: Tim O Hanrahan Deputy Head, Insurance, Central Bank of Ireland 16 March 2016

ORSA for Dummies. Institute of Risk Management Solvency II Group April 17th Peter Taylor

Organization transformation in times of change

Business-driven Policy Administration Transformation

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

Questions and answers collated at the PRA s Solvency II industry briefings on 12 December 2013

Wealth management offerings for sustainable profitability and enhanced client centricity

Preparing for ORSA - Some practical issues Speaker:

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Solvency II Data audit report guidance. March 2012

Cash Management Group Solvency II and Money Market Funds

Disclosure to Promote the Right To Information

Data Governance for Financial Institutions

When Recognition Matters WHITEPAPER ISO RISK MANAGEMENT PRINCIPLES AND GUIDELINES.

My Experience. Serve Users in a Way that Serves the Business.

Regulatory Solvency Assessment of Property/Casualty Insurance Companies in the United States

HP PPM - RallyDev Integrator

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Enterprise risk management: A pragmatic, four-phase implementation plan

Planning a Basel III Credit Risk Initiative

HR Business Consulting Optimizing your HR service delivery

fs viewpoint

Understanding and articulating risk appetite

Solvency II and Money Market Funds

Deloitte Insurance Risk Management Survey State of the Industry

Tailoring enterprise risk management strategies to the Main-Street insurer

Solvency II implementation - beyond compliance

CA Clarity PPM - RallyDev Integrator

Risk Management Primer

Quick Solvency II Technical Reporting Guide. Pillar 3: What, Who and When

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

IAIS Insurance Core Principle 16

Accenture Risk & Regulatory Solutions. Risk management for the insurance industry

Payment on Time Case Study

November 2010 Declan Lavelle Aidan O Donnell Daniel Pender David Roberts Dick Tulloch

ENTERPRISE RISK MANAGEMENT FOR BANKS

Enterprise Risk Management

SOLVENCY II ARE YOU READY AND COMPLIANT?

Capital Management in a Solvency II World & the Role of Reinsurance

ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD.

BIM. the way we see it. Mastering Big Data. Why taking control of the little things matters when looking at the big picture

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

Internal Control Integrated Framework. May 2013

Solvency II. SUPERVISORY RePORTING & DISCLOSURE workshop. 15 & 16 May Lloyd s

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Corporate Governance Code for Captive Insurance and Captive Reinsurance Undertakings

IMAP Independent Review Guidelines

Making the Most of the Software Development Process

Solvency II Detailed guidance notes

Consultation Paper on the Proposal for Guidelines on submission of information to national competent authorities

International Diploma in Risk Management Syllabus

Transcription:

Solvency II the way we do it Solvency II Achieving benefits beyond compliance An Enterprise Risk Management approach to implementation of Pillar 2

Table of Contents 1. Foreword 3 2. Background 4 3. Operational implementation of Pillar 2 6 3.1 Introduction to ISO 31000 6 3.2 Implementing an effective framework 7 3.3 Applying ISO 31000 to Pillar 2 8 3.4 Managing ORSA the organizational process 9 3.5 Potential benefits 10 4. Conclusion 11 5. About us 12 5.1 Capgemini 12 5.2 The Norwegian Risk Management & Compliance practice 12 5.3 About the authors 13 6. Appendix: Overview of Pillar 2 14 6.1 Regulatory requirements of Pillar 2 14 The information contained in this document is proprietary. 2013 Capgemini. All rights reserved. Rightshore is a trademark belonging to Capgemini.

Solvency II the way we do it 1. Foreword Solvency II represents a fundamental change for insurers and a step toward more comprehensive and transparent risk management throughout Europe. The insurance industry, consultants, and software vendors can testify that Solvency II compliance is a moving target with unclear timelines and ongoing discussions regarding transitional arrangements. Despite these uncertainties most insurers have Solvency II high on their agenda, and are working intensively to make the last necessary adjustments before the directive is put into force. There is no one-size-fits-all solution to Solvency II, and insurers are approaching implementation in different ways. Our experience is that most are giving priority to modeling the capital requirements outlined in Pillar 1 and to the reporting requirements in Pillar 3, and that several insurers are underestimating the importance of Pillar 2. As a result, many companies are missing out on the potential strategic benefits of enterprise wide risk management. Enterprise Risk Management (ERM) is an organizational governance approach to Pillar 2 that can facilitate these benefits. In this paper we wish to demonstrate how an ERM framework based on the ISO 31000 risk management standard can contribute to developing the robust governance system for risk management that Pillar 2 prescribes. ISO 31000 is an internationally recognized, principle-based standard for the implementation of risk management in organizations of all sizes across industries. ERM framework based on the ISO 31000 risk management standard can contribute to developing the robust governance system for risk management that Pillar 2 prescribes. 3

2. Background Solvency II is designed to encourage increased consistency between insurance companies risk exposure, business strategy and capital needs. It is intended to foster a more comprehensive approach to risk management and to ensure increased transparency. Solvency II should not be seen as a box-ticking activity applied to updated rules for calculating and reporting regulatory capital. This perspective shifts focus away from equally important issues addressed by the directive, namely fostering a culture of ERM and integration of risk management with the overall business and strategy. In the work towards achieving compliance with Solvency II, many Scandinavian insurers are at a turning point: having focused primarily on the quantitative aspects of the directive in Pillar 1, they are now turning toward the complex, qualitative obligations of Pillar 2. While compliance with the directive is mandatory, the approach companies take to implementing it is not specified. As such, in deciding their Pillar 2 strategy, organizations have significant opportunities to achieve benefits beyond compliance; this requires the establishment of an enterprise approach to risk management. ERM is the coordinated activities that companies use to manage the total view of the effects of uncertainty on overall strategic objectives across the organization. These uncertainties represent any deviation from the expected and include the ability to seize opportunities arising in relation to achieving goals. Responding adequately to the requirements of Solvency II, especially Pillar 2, will require a cultural change and increased competence for many companies, as well as an extensive and planned approach to bridge the gap between the standards in place today and those required under Solvency II. Given this context, this paper has been driven by the following questions: What are we investigating? Solvency II has ERM as a foundational principle. The theory and practice of ERM is made accessible through the use of recognized standards, including COSO ERM, or the newer international standard for risk management, ISO 31000. Although COSO ERM lays down important principles regarding risk management, it has been criticized as being overly theoretical and vague in its guidance for implementation. In our opinion ISO 31000 provides clearer and more practical guidance on implementation. 4

Solvency II the way we do it Therefore, in this paper we investigate how ISO 31000 can be used to build the foundation for a successful Solvency II project, focusing on integrating ERM with the organization s overall strategic management process. Why are we interested in this topic? Investigating how ISO 31000 can be used to build the foundation for a successful Solvency II project increases the understanding of the organizational efforts that may result in benefits beyond compliance, i.e. ensuring that risk management is tied to the organization s achievement of objectives, rather than just regulatory compliance. We wish to provide a guideline for how to handle the operational challenges of implementing Solvency II by focusing on Pillar 2. Why would this paper be of interest to others? The paper benefits practitioners and companies involved in the organizational aspects of Solvency II compliance. If you represent a company that is interested in improving its compliance work, this paper will provide valuable insights and experiences to consider. Section 3 of this paper gives guidance on the application of ISO 31000 to operational implementation of Pillar 2, including the design and implementation of the Own Risk and Solvency Assessment (ORSA) process. Section 4 includes concluding remarks and recommendations for companies and their ongoing compliance work. Many Scandinavian insurers are at a turning point: having focused primarily on the quantitative aspects of the directive in Pillar 1, they are now turning toward the complex, qualitative obligations of Pillar 2. 5

3. Operational implementation of Pillar 2 In our experience, a major challenge with the Solvency II regulations for many companies relates to the implementation of Pillar 2 in an effective manner. The main difficulty with implementing Pillar 2 is that the Solvency II Directive and the European Insurance and Occupational Pensions Authority (EIOPA) consultation papers on implementing measures define only the underlying principles; these guidelines and principles must be interpreted and adapted according to each unique organizational context. In light of this, we will focus on how ISO 31000 can be used to implement the organizational aspects of Pillar 2. 3.1 Introduction to ISO 31000 In the work towards achieving compliance with Solvency II, many Scandinavian insurers are at a turning point: having focused primarily on the quantitative aspects of the directive in Pillar 1, they are now turning toward the complex, qualitative obligations of Pillar 2. While compliance with the directive is mandatory, the approach companies take to implementing it is not specified. As such, in deciding their Pillar 2 strategy, organizations have significant opportunities to achieve benefits beyond compliance; this requires the establishment of an enterprise approach to risk management. ERM is the coordinated activities that companies use to manage the total view of the effects of uncertainty on overall strategic objectives across the organization. These uncertainties represent any deviation from the expected and include the ability to seize opportunities arising in relation to achieving goals. Responding adequately to the requirements of Solvency II, especially Pillar 2, will require a cultural change and increased competence for many companies, as well as an extensive and planned approach to bridge the gap between the standards in place today and those required under Solvency II. 6

Solvency II the way we do it 3.2 Implementing an effective framework ISO 31000 describes the necessary components of a risk management framework and the way in which they interrelate in an iterative manner, as outlined in Figure 1. Figure 1: Relationship between the various components in a risk management framework [ISO31000] Mandate and committment Assign and delegate areas of responsibility and accountabilities appropriately Assign necessary resources to risk management Communicate the benefits of risk management to stakeholders Ensure that framework continues to remain appropriate Design framework for managing risks As stated, ISO 31000 defines risk as the effect of uncertainty on objectives. Therefore, it is crucial that the design of the framework is founded on clearly defined and articulated objectives. Continous improvement of the framework Design framework for managing rosks Monitoring and review the framework Implementing risk management A key topic in designing your risk management framework is to evaluate and understand both the external and should, influence the framework significantly. The external context should include at least the key drivers and trends that are having an impact on the organizational objectives, as well as the political, financial, technological and competitive environment. An evaluation of the external stakeholders is also recommended. When evaluating the internal context the framework should include at least descriptions of governance and organizational structures, policies, objectives and strategies, information systems and information flows, and decision-making processes. It is also important to have a clear view of the internal stakeholders and the organizational culture. In this section we will elaborate on the details of the various components of a risk management system, and on how ISO 31000 may help in implementing an effective framework for ERM. Why Establish mandate and commitment Effective ERM is dependent on a strong and sustained commitment from the senior management as well as strategic and rigorous planning to achieve commitment at all levels of the organization. To create the foundation for ERM, ISO 31000 recommends that the management should: Establish and endorse the risk management policy Ensure alignment between organizational culture and the risk management policy Establish key performance indicators for risk management and risk management objectives in accordance with business objectives and strategies In addition to describing the external and internal context, a well-founded framework for risk management should include a risk management policy that clearly states the organization s objective for risk management. The risk management policy typically addresses the rationale for managing risks, the linkage to organizational objectives, accountabilities and responsibilities, how conflicts of interest are handled, and the approach to measuring and reporting on the performance of the risk management framework. Another important element of the framework is to establish the accountability, authority and appropriate competence for managing risks. In defining the accountability, attention should be paid to identifying risk owners and the responsibilities of people at all levels of the organization for the risk management process. In addition, the policy should include performance measurement and appropriate escalation processes. The risk management policy should describe how risk management is integrated appropriately in organizational processes. In particular, risk management should be 7

embedded into policy development, business and strategic planning and review, and all change management processes. Finally, the risk management framework should clearly define financial and non-financial resources, and the internal and external communication and reporting mechanisms. Implementing risk management Establishing a well-defined framework for risk management is crucial. Nevertheless, some might argue that the real challenge is in implementing it throughout the organization. In implementing the framework the organization must define the appropriate timing and strategy. A key element in the implementation phase is to integrate the appropriate processes for risk assessments in strategic decision-making processes. Dry-runs are the starting point in implementing defined processes. This enables a practical verification of the process design, and verifies whether the organization has the necessary resources available to succeed. There may be a need for several process dry-runs before settling on the appropriate design, and it is therefore important to start these processes at an early stage. Performing dry-runs with an increasing degree of sophistication will help build maturity and ownership at the senior management level. The infrastructure supporting risk management processes should be designed only once the process owners are sure that the risk management approach is appropriate and effective. During the implementation phase a number of necessary changes may be discovered. These could include adaptations due to access to resources or changes in the external or internal context. It is important to allow for such adaptations to ensure that the risk management framework and processes are aligned with the organizational capabilities and conditions and not designed for an ideal situation detached from the day-today constraints of any organization. A typical pitfall in the implementation phase are that roles, responsibilities and authority only exists in theory, and have little impact on actual decision-making processes. Also, it is common that the organization lacks the will or ability to prioritize the task of integrating new or changed activities into existing business processes. Finally, when dealing with regulatory regimes like Solvency II, it is often seen that the frameworks and process designs give a false sense of security because they may document only theoretical compliance. A framework for risk management has limited value on paper; its effectiveness is highly dependent on true integration with day-to-day business rooted in the reality and constraints of the organization. Monitoring and review of the framework To ensure the effectiveness of risk management and that it supports organizational performance the organization should implement activities for monitoring and review. The organization should measure the performance of risk management against appropriate indicators aligned with overall strategic key performance indicators. Periodically, the framework must be reviewed to evaluate appropriateness given the internal and external context, and also to evaluate the overall effectiveness of the framework. Continuous improvement of the framework The results of monitoring and review should lead to decisions on how the risk management framework, policy and plan may be improved. A risk management framework should be a living document, meaning that adaptations must be made continuously, as external and internal context are evolving and internal maturity is increasing. An outdated risk management framework has very little value, and may even result in suboptimal decisions; therefore ensuring continuous improvements and alignment with changes in strategy and context is crucial. 3.3 Applying ISO 31000 to Pillar 2 The foundation for operationalizing risk management is the design of the risk management framework. This gives the basis and the tools for integrating risk management at all levels in the organization. The framework includes a description of a company s internal and external context. This will vary from company to company, but includes the environment in which a company operates, and key drivers and trends that affect objectives. A key element in the framework is the ERM policy, which clarifies the purpose and objectives of ERM. It is recommended that the policy details how risk management supports achievement of organizational objectives, and describes the areas of responsibility with regards to risk management. Keeping the ERM policy updated demonstrates that risk management is a dynamic activity in the organization and fully supported by the management and the Board. For Solvency II, an ERM policy should describe and document an efficient risk management system. Articles 41 to 49 set Pillar 2 requirements for Risk Governance, such as segregation of duties, handling of conflicts of interest, key functions related to risk management, scope of the risk management system, and competence requirements. Pillar 2 also requires an ORSA, a top-down assessment of the short and long term risk profile 8

Solvency II the way we do it with regards to the strategic plan. In other words, a company s ERM policy is crucial in ensuring compliance with Pillar 2 requirements. Another element included in the framework is how risk management is integrated with other processes in the company, specifically strategic planning and administration. Again, we see alignment between ISO 31000 and Solvency II: one of the main purposes of ORSA is that it should be integrated into the company s strategic processes; ORSA is based on the business strategy, and the business strategy should in turn be supported by ORSA. The topic of ORSA is further detailed in the next section. Similarly to Solvency II, ISO 31000 requires a description of how the organization ensures resources for risk management. This takes into account the people, skills and competence needed to undertake effective risk management. Also, there should be documented processes, methods, tools and techniques to support risk management. Additionally the framework should cover internal and external communication and reporting mechanisms. This should ensure compliance with the Pillar 3 requirements of Solvency II. 3.4 Managing ORSA - the organizational process The process of ORSA is an integrated part of risk management. It can be illustrated with seven generic steps based on ISO 31000 (Figure 2). The principle of proportionality underlies ORSA, which means that each company will design its own process to fit the organizational structure, size and complexity of the business; as such, no ORSA process will look the same. Nevertheless, there are universal aspects of a risk assessment process that the ORSA will include. The generic steps from ISO 31000 should therefore be the corner stone. The Solvency II-directive requires ORSA to be conducted at least annually and on an ad-hoc basis whenever a significant change in the company s risk profile is identified. As such, monitoring of the risk profile using the standard, or (partial) internal model, in addition to continuous monitoring activities, is necessary. A well functioning governance system is therefore crucial. The process of ORSA is conducted top-down, which means the Board needs to take an active part throughout the process. In addition to the risk management plan, development of suitable tools like interview guides, risk universe, risk register and documentation templates will be necessary to support the risk management function facilitating the process. ORSA does not represent a capital requirement. The result is a top-down view of the capital need (economic capital) throughout the strategic planning period that takes into account the strategic business plan. Since ORSA is capturing all risks the business is exposed to, the result will be different from the capital requirement given by a model. An important exercise for the Board will therefore be to evaluate the result Figure 2: The seven generic steps of the risk management process Consultation Risk identification Risk analysis Risk evaluation Risk treatment Reporting Review 9

from ORSA with regards to the result given from the model and the predefined risk strategy (risk appetite and tolerance). The conclusion should be captured in the capital planning process and will affect the business strategy. ORSA may also trigger need for the development of internal models that better reflect the risk profile. Some examples of activities that can be part of each of the generic components of a risk management process are outlined in this section. The process is most naturally facilitated by the risk management function. Consultation Evaluate proposed changes in the governance system, policy documents and frameworks Approve updated risk strategy Approve plans and tools for risk management Risk identification Identify the company s long and short term overall risk exposure Risk analysis Determine probability and consequences of identified risks Conduct stress tests/scenario analysis Risk evaluation Evaluate risk profile against predefined risk appetite and tolerance Consider short and long term capital needs Evaluate regulatory capital requirement against economic capital Conclude based on results Review Evaluate and review the process for risk management Develop suggestions for improvements 3.5 Potential benefits A risk management framework in accordance with ISO 31000 corresponds with several of the requirements in Solvency II. At the same time, the framework can help to prepare for implementation with the holistic perspective Solvency II is intended to encourage. Investing time and resources in establishing a well-anchored risk management framework helps in preparing for Solvency II, ensuring that risk management is tied to the company s achievement of objectives, rather than merely regulatory capital calculation. Potential benefits deriving from holistic, well-functioning risk management are extensive, for instance: Increased likelihood of achievement of objectives and proactive management Improved identification of opportunities and threats Increased stakeholder trust and confidence Competitive advantage A robust foundation for decision-making and planning Improved controls Increased operational efficiency and productivity Prevention of losses and improved management of risk events Reduced cost of capital Minimized losses Risk treatment Develop a proposal for actions and analyze effects of the actions Choose, prioritize and decide on actions Identify Key Risk Indicators (KRI s) Reporting Compile documentation, including capital and contingency plan Quality check and approve ORSA documentation 10

Solvency II the way we do it 4. Conclusion Utilizing easily accessible standards such as ISO 31000 can provide the organization with a better and wider understanding of how ERM can improve the organization s performance, and yield benefits beyond compliance. A risk management framework based on ISO 31000 creates a solid basis for implementing Solvency II with a focus on strategic benefits. Despite uncertainty regarding the final implementation date of Solvency II most insurers across Europe are scrambling to meet the requirements of this extensive directive. Nonetheless, it seems that many have underestimated the importance of the ERM perspective in Pillar 2, which means that Solvency II may not provide the impact on holistic risk management that it was intended to have. The Solvency II Directive, with its corresponding consultation and guidance papers is vast and complex. Utilizing easily accessible standards such as ISO 31000 can provide the organization with a better and wider understanding of how ERM can improve the organization s performance, and yield benefits beyond compliance. In this paper we have described how a framework for risk management based on ISO 31000 addresses the major requirements of Pillar 2, and how ORSA may be integrated in the overall risk management process. ISO 31000 is not a quick fix for Solvency II, nor does it address the complex requirements of Pillars 1 and 3. It does, however, provide guidance on how you can successfully implement an effective and robust governance system (including a system for risk management), which is at the core of the Pillar 2 requirements. A critical step towards achieving benefits beyond compliance is to design and build an effective risk management system tailored to the organization. Solvency II dictates that information about risk is to be used in strategic decisionmaking, and many insurers realize the benefits of developing internal or partial internal models that reflect the actual risk exposure and capital needs. Insurers must have a clear understanding of how risk management, capital management and business strategy interact. This integrated view on risk management is at the core of ERM. Solvency II implementation will require considerable resources, and therefore potential benefits beyond compliance should be explored. To achieve these benefits, ERM should be considered as a tool for managing uncertainty regarding goal achievement. A risk management framework based on ISO 31000 creates a solid basis for implementing Solvency II with a focus on strategic benefits. 11

5. About us 5.1 Capgemini With aorund 120 000 people in 40 countries, Capgemini is one of the world s foremost providers of consulting, technology and outsourcing services. Together with our clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore, our worldwide delivery model. Capgemini s Global Financial Services Business Unit brings deep industry experience, innovative service offerings and next-generation global delivery to serve the financial services industry. With a network of 18 000 professionals serving over 900 clients worldwide, Capgemini collaborates with leading banks, insurers and capital market companies to deliver business and IT solutions and thought leadership that create tangible value. Capgemini and EFMA provide thought leadership related to the insurance industry in our annual World Insurance Report (www. capgemini.com/wir12). 5.2 The Norwegian Risk Management & Compliance practice This paper is written by members of Capgemini s Norwegian Risk Management & Compliance (RM&C) practice. Our team consists of highly skilled advisors and practitioners within areas like ERM, Basel II & III, Solvency II, Anti Money Laundering, Foreign Account Tax Compliance Act (FATCA), and the Personal Data Act. The RM&C team has been involved in several Solvency II projects both within life- and non-life insurance, building on our strong legacy from Basel II implementation programs. The practice has extensive experience within risk management and compliance in the financial services sector, with a focus on implementing ERM principles to achieve strategic benefits rather than solving short term compliance. Our team consists of risk experts with both business and technical competence delivering end-to-end solutions for risk management and compliance. 12

Solvency II the way we do it 5.3 About the authors Jennie Wallin is a Senior Risk Management & Compliance consultant and project manager. She is an experienced advisor and has managed several Solvency II projects, specializing in Pillar 2 requirements and ORSA. Email: jennie.wallin@capgemini.com Anita Gupta is a Senior advisor in Capgemini s Business Information Management practice and project manager focused on Risk Management & Compliance and Performance Management. She has been involved in several Solvency II projects for both small and large insurers. Email: anita-ashok.gupta@capgemini.com Kelsey Nutland has several years of experience in ERM and ISO 31000 within financial services and the public sector. Kelsey is a senior Risk Management & Compliance consultant and project manager, specializing in the development of frameworks for ERM and internal control for clients seeking Solvency II compliance. Eirik Øsebak is a Managing Consultant within Capgemini s Norwegian Risk Management & Compliance practice. He has been involved in numerous Risk Management projects, and is focused on implementing ERM principles, rather than solving short-term compliance issues. He has been managing Solvency II projects since 2008, and has been involved in projects covering all pillars for both non-life and life insurers. 13

6. Appendix: Overview of Pillar 2 6.1 Regulatory requirements of Pillar 2 Solvency II regulations require that insurers hold sufficient capital to meet the solvency capital requirements at all times. Figure 1 outlines the scope of the three pillars of Solvency II; in this article we focus on Pillar 2 and its implementation from an ERM perspective. Key aspects of Pillar 2 are requirements related to: ORSA, the cornerstone of Solvency II Risk management, including risk-management strategy, policies, processes and internal reporting procedures Internal control, including internal control framework and appropriate reporting procedures to ensure compliance with applicable laws and regulations, efficiency of an undertakings operations and reliability of information used System of governance, including risk management, actuarial, compliance and internal audit function Supervisory review of undertakings risk management and governance system, aiming to ensure undertakings are well run and meet risk management standards All companies subject to the Solvency II regulations must demonstrate that they have implemented an effective governance system, including risk management and internal control. Pillar 2 focuses on the organizational arrangements of an insurer s internal control and risk management process, Figure 3: The three pillars of Solvency II Pillar 1 Pillar 2 Pillar 3 Technical provisions Own funds Capital requirement: MCR - Minimum capital requirement SCR - Solvency capital requirement Standard or internal model Use test of internal model Own Risk and Solvency Assessment (ORSA) Risk management and internal control System of Governance Supervisor review Quantitative Reporting Templates (QRT) Solvency & Financial Condition Report (SFCR) Regular Supervisory Reporting (RSR) Market discipline 14

Solvency II the way we do it as well as the approach to enforcement by the supervisory authority. Regardless of whether the undertaking uses the standard or a (partial) internal model under Pillar 1, conducting an ORSA is required. The part of the Solvency II Directive covering requirements for the system of governance consists of seven main articles, outlined in Figure 4. They are in turn composed of functions and rules, each with set levels of expectation. A brief overview of the articles 41-49 is given below. The full description can be found in the Solvency II Directive [SII09] and the corresponding Level 2 consultation paper Level 2 Implementing Measures on Solvency II: System of Governance [CP33]. Article 41-43 and 49: General governance requirements Article 41 introduces the main requirements in Articles 42 to 49, emphasizing that all insurance and reinsurance Figure 4: The overall Solvency II governance requirements Governance (Article 41) Fit & proper requirements (Article 42 og 43) Risk management (Article 44) ORSA (Article 45) Internal control (Article 46) Internal audit (Article 47) Actuarial function (Article 48) Outsourcing (Article 49) undertakings should have in place an effective system of governance and that all persons who run the undertaking or have other key functions must have sound and prudent management (fit) and must be of good repute and integrity (proper). Additionally, the insurance and reinsurance undertakings remain fully responsible for outsourcing of their critical business functions and activities, which must not impact the quality of organizations governance, business and compliance. Article 44, 46-48: System for risk management and internal control The Directive states that the insurance and reinsurance undertakings shall have in place an effective risk-management system, as well as an internal control system that should take into account the following minimum requirements: Clear organizational structure and adequate roles and responsibilities Well defined and documented risk strategy/plan, guidelines, control and routines to ensure that the organization on a continuous basis can identify, measure, monitor and manage the risks it is exposed to Appropriate communication- and reporting routines at all levels in the organization Dedicated control functions for risk management, compliance, actuarial analysis and internal audit Article 45: ORSA Article 45 describes that as part of its risk-management system, every insurance and reinsurance undertaking shall conduct its ORSA to determine the capital requirement, technical provisions, risk measure and calibration. To summarize, ORSA covers the following points: ORSA has a top-down and forward-looking perspective (owned by the Board) aiming to ensure that the organization is able to meet its strategic plan for the next 3-5 years, including occasional extraordinary circumstances ORSA is an integrated part of the organization s business strategy and should serve as an input in strategic decisions ORSA includes a quantitative and qualitative assessment of the company s risk profile ORSA is linked to capital planning. A capital and contingency plan should be attached as part of the ORSA report ORSA should be performed on a regular basis (at least annually) or ad-hoc whenever there is a significant change in the organization s risk profileenever there is a significant change in the organization s risk profile 15

Solvency II the way we do it About Capgemini With more than 120,000 people in 40 countries, Capgemini is one of the world s foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion. Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience TM, and draws on Rightshore, its worldwide delivery model. Learn more about us at www.capgemini.com The information contained in this document is proprietary. 2013 Capgemini. All rights reserved. Rightshore is a trademark belonging to Capgemini.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information