The proposed governance requirements aim to provide consistency with the banking sector as well as consistency across territories and acknowledge that some types of risk are best addressed through good governance rather than through allocating additional solvency capital.
As firms will be required to meet regulatory principles rather than rules, Solvency II will place more responsibility on the firm’s management. The firm will be required to demonstrate to the supervisor through the ORSA that its governance (including corporate governance) and risk management approach and practices are appropriate to its specific risk profile.
Through the Supervisory Review Process (SRP), the supervisor will assess the ability of the firm’s system of governance to identify, assess and manage the risks and potential risks it faces as a business. The supervisor will have the power to force firms to remedy any weaknesses and deficiencies it identifies in their system of governance, including strategies, processes and reporting procedures, in order to give greater confidence in the overall solvency position.
The onus will be on the firm to ensure its governance and management are demonstrably sound and can be verified adequately by the supervisor, requiring the appropriate documentation of policies and procedures, roles and responsibilities, and reporting and Management Information (MI).
The system of governance will be required to demonstrate sound and prudent management of the business; be proportionate to the nature, scale and complexity of the operations of the firm; and be subject to regular review. It must include:
- An adequate and transparent organisational structure with a clear allocation and segregation of responsibilities and an effective system for ensuring the transmission of information;
Written – and implemented – policies, which are subject to review at least annually and in the light of any significant change, for - as a minimum - risk management, internal control, internal audit and any outsourcing. - An effective risk management system will be a key element of the system of governance. It must include strategies, processes and reporting procedures to monitor, manage and report the firm’s risks continuously. The risks will need to be addressed individually, in aggregate, and in relation to their interdependencies.
The risk management system must be well integrated into the organisational structure of the firm and as a minimum, cover:
- underwriting and reserving;
- asset – liability management;
- investment, in particular derivatives and similar commitments;
- liquidity and concentration risk management;
- reinsurance and other risk mitigation techniques.
If the firm uses a partial or full internal model it will need to demonstrate that the internal model is embedded in the risk management system. The risk management function will, therefore, have additional responsibilities in relation to the internal model, including:
- design and implementation;
- testing and validation;
- documentation and keeping this up to date;
- analysis and reporting of the model’s performance;
- informing the Board and senior management about its performance, flagging required improvements and reporting on the status of previously identified weaknesses.
Risk management should be seen as a continuous process, and firms will therefore have to establish a risk management function, where this does not already exist. In line with the principle of proportionality, this does not necessarily imply the need for a full-time Chief Risk Officer (CRO), but the risk management function is required to be demonstrably objective and independent. CEIOPS recognises that complete segregation of duties is sometimes impractical and functions such as risk management can also be outsourced, if this is consistent with effective risk management. In practice, this approach is only likely to be appropriate for smaller insurers.
Outsourcing concerns regulatory authorities, particularly in relation to the degree of control of outsourced functions and the level of governance applied. The supervisory authorities will have the right to access all relevant data held by the outsourcing service provider as well as the right to conduct on-site inspections. This right of access to data also applies for outsourced activities outside the EU. Supervisors must also be informed in an adequate and timely manner prior to the outsourcing of important activities or to any subsequent material changes. This places an additional requirement on firms to ensure outsourcing contracts are constituted and managed effectively.
