Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS e.v.) Westhafenplatz 1 60327 Frankfurt am Main Germany Att.: Ms. Sibylle Schulz Final input from the Groupe Consultatif in regard to the development of Level 3 guidance on the Own Risk and Solvency Assessment (ORSA) Dear Ms. Schulz 29 July 2010 Following the useful exchanges in our meeting in Frankfurt on 27 May 2010 and your subsequent e-mail correspondence with Mr. Soren Kruse we are pleased to forward our final document that contains our input to the development of Level 3 guidance on the Own Risk and Solvency Assessment (ORSA). Our final document is split into three main sections 1. Enterprise Risk Management within the insurance industry, 2. Content of the ORSA process as defined in article 45, 3. Role of the actuarial function as defined in article 48 in the ORSA process. Following our discussions at previous meetings section 2 also emphasizes: Issues on proportionality, Issues on internal models, Issues on groups. 1
We very much look forward to discussing this in more detail with you and your colleagues at our next meeting in Frankfurt on Wednesday 1 September from 11:00 13:00 followed by lunch. At this meeting Groupe Consultatif will be represented by Mr. Esko Kivisaari and 1 2 other representatives. Your sincerely Esko Kivisaari Groupe Consultatif Chairman, Working Group on Internal Governance, Supervisory Review and Reporting Seamus Creedon Groupe Consultatif Manager, Solvency II Project 2
FINAL INPUT FROM GROUPE CONSULTATIVE TO CEIOPS ON LEVEL 3 ADVICE FOR OWN RISK AND SOLVENCY ASSESSMENT We are pleased to present our final input to the ORSA process in which we show how generic actuarial competence can best contribute to the ORSA process. We will also focus on how the Actuarial Function as defined in the directive may participate in the process. We will start with a description of enterprise risk management within the insurance industry as described by the International Actuarial Association (IAA) in their document Note on Enterprise Risk Management for Capital and Solvency Purposes in the Insurance Industry, published in March 2009. In this document IAA describes the ORSA process as an integral part of an insurer s Enterprise Risk Management (ERM). In this submission we will narrow our description of the ORSA as defined in the directive and split the remaining part of our document into two sections: Content of the ORSA process as defined in article 45, Role of the actuarial function as defined in article 48 in the ORSA process. In our description of the content of the ORSA process we will furthermore cover the following sub-topics: Issues on proportionality, Issues on internal models, Issues on groups. 1 Enterprise Risk Management within the insurance industry as described by the International Actuarial Association 1.1. General features of Enterprise Risk Management In recent years the concept of Enterprise Risk Management (ERM) has been embraced by an increasing number of insurers seeking to improve their management practices and the operating performance of their businesses. Today, ERM is increasingly regarded as an appropriate response or indeed a solution to managing risk in today s more complex and interdependent markets and operating environments. Insurance supervisors have also played a leading role in setting standards and providing guidance to insurers on implementing appropriate frameworks for the management of risks faced by insurance companies. 3
The International Actuarial Association (IAA) has developed guidance for insurers to support the Standards and Guidance materials developed by the International Association of Insurance Supervisors (IAIS) for supervisors. It draws on experience of industry, supervisory practices, and models and frameworks published by others. It also emphasises practical considerations. The IAIS Standard describes eight key features. The IAA unpacks each of the key features by explaining them in more detail, thereby assisting insurance executives address strategic and operational issues associated with implementing an ERM framework in their insurance business. The material is presented as issues to consider and information about solutions others have used rather than a prescription to follow when implementing ERM. There is no one right way; rather the appropriate approach will depend on the particular circumstances of the insurer. In the document Note on Enterprise Risk Management for Capital and Solvency Purposes in the Insurance Industry, published in March 2009, the IAA describes the ORSA process as an integral part of an insurer s Enterprise Risk Management: 4
Figure 1: The eight key features as described by International Association of Insurance Supervisors Effective ERM is inextricably linked with strategic planning for a business. When ERM is integrated in the business planning cycle of the insurer, decisions of the company (e.g., growth of business lines, acquisitions, new product development, new channels) are made on a risk-adjusted basis and fully supported/informed by the ERM process. Consequently, the annual risk budget / capital allocation by risk-type should be set in accordance with the business strategy of the enterprise. Finally, end-of-year capital measurement and performance measurement is conducted on a risk-adjusted basis, to complete the full circle of value creation. The importance of ERM is also reflected in the way supervisors and rating agencies increasingly expect insurers to apply ERM techniques for managing their business on a day-to-day basis. 5
It is clear that the ORSA process is just one element of the ERM process. It should however be noted that it seems unlikely that a credible ORSA process can be built in isolation. Therefore we treat the ORSA process in terms of the overall ERM and not as an isolated issue. Additionally, in our opinion the IAA s model underlines the unique characteristics of ORSA as described in the directive: ORSA is a process the ORSA is not implemented and fulfilled by a report in a specific format or by filling in templates, ORSA is forward looking whereas the Pillar I SCR considers a 1 year time horizon, the time horizon of the ORSA should be 3 5 years or correspond to the company s business planning horizon, ORSA is company specific there cannot be a one-size-fits-all approach to the ORSA. Furthermore the principle of proportionality needs to be taken into account, The board of directors is ultimately responsible for ORSA. Although being a separate part of ERM the ORSA process also interacts closely with the other parts of ERM either by providing input to these parts and/or performing a review of these parts. 1.2 Features of Enterprise Risk Management as described by The International Actuarial Association The IAA describes the eight features of the ERM process in detail in their note. In the following section only the main content of each feature is summarised. In the appendix there is a table that compares the IAA description of ERM and shows how its features correspond to the elements of article 45 of the directive. Feature 1: Governance and Enterprise Risk Management Framework The IAA framework describes this feature as follows: As part of its overall governance structure, an insurer should establish, and operate within, a sound ERM framework which is appropriate to the nature, scale and complexity of its business and risks. The ERM framework should be integrated with the insurer s business operations, reflecting desired business culture and behavioural expectations and addressing all reasonably foreseeable and relevant material risks faced by the insurer in accordance with a properly constructed risk management policy. The establishment and operation of the ERM framework should be led and overseen by the insurer s board and senior management. 6
For it to be adequate for capital management and solvency purposes, the framework should include provision for the quantification of risk for a sufficiently wide range of outcomes using appropriate techniques. Feature 2: Risk Management Policy The IAA describes this feature as follows: An insurer should have a risk management policy which outlines the way in which the insurer manages each relevant and material category of risk, both strategically and operationally. The policy should describe the linkage with the insurer s tolerance limits, supervisory capital requirements, economic capital and the processes and methods for monitoring risk. Feature 3: Risk Tolerance Statement IAA describes this feature as follows: An insurer should establish and maintain a risk tolerance statement which sets out its overall quantitative and qualitative tolerance levels and defines tolerance limits for each relevant and material category of risk, taking into account the relationships between these risk categories. The risk tolerance levels should be based on the insurer's strategy and be actively applied within its ERM framework and risk management policy. The defined risk tolerance limits should be embedded in the insurer s ongoing operations via its risk management policies and procedures. Feature 4: Feedback Loop IAA describes this feature as follows: The insurer's ERM framework should be responsive to change. 7
The ERM framework should incorporate a feedback loop, based on appropriate and good quality information, management processes and objective assessment, which enables the insurer to take the necessary action in a timely manner in response to changes in its risk profile. Feature 5: Own Risk and Solvency Assessment (ORSA) IAA describes this feature as follows: An insurer should regularly perform its own risk and solvency assessment (ORSA) to provide the board and senior management with an assessment of the adequacy of its risk management and current, and likely future, solvency position. The ORSA should encompass all reasonably foreseeable and relevant material risks including, as a minimum, underwriting, credit, market, operational and liquidity risks. The assessment should identify the relationship between risk management and the level and quality of financial resources needed and available. Feature 6: Economic and Supervisory Capital The IAA describes this feature as follows: As part of its ORSA an insurer should determine the overall financial resources it needs to manage its business given its own risk tolerance and business plans, and to demonstrate that supervisory requirements are met. The insurer's risk management actions should be based on consideration of its economic capital, supervisory capital requirements and financial resources. 8
Feature 7: Continuity Analysis IAA describes this feature as follows: As part of its ORSA, an insurer should analyze its ability to continue in business, and the risk management and financial resources required to do so over a longer time horizon than typically used to determine regulatory capital requirements. Such continuity analysis should address a combination of quantitative and qualitative elements in the medium and longer term business strategy of the insurer and include protections of the insurer's future financial position and modelling of the insurer s ability to meet future regulatory capital requirements. Feature 8: Role of supervision: The IAA describes this feature as follows: The supervisor should undertake reviews of an insurer's risk management processes and its financial condition. The supervisor should use its powers to require strengthening of the insurer s risk management, including solvency assessment and capital management processes where necessary 2 Content of the ORSA process as defined in article 45 Having covered a general description of the ORSA process as an integral part of an insurer s ERM we now concentrate on the content of the ORSA process as defined in the directive. The directive describes the OSRA process in article 45. This article and especially paragraphs 1 and 3 stress the quantitative aspects of the process. However, paragraph 4 makes it quite clear that the ORSA cannot be implemented as a calculating machine. Also the last paragraph makes it clear that ORSA and quantitative capital requirements are quite different concepts. 9
In our understanding the ORSA process is a systematic and documented process, built upon a sound risk management culture in the company. The sound risk management culture makes it possible to rationally evaluate the risks the company faces. The ORSA process should give the company an understanding of whether its risks are satisfactorily managed or not and should also produce quantitative information on the future capital needs of the business. This analysis of the risks should give the company and its management useful tools to take appropriate action in the face of the risks. This could mean strengthening the capital base of the company in the short or longer run. However it can also mean that the company could develop management actions that could be implemented based on what actually happens. We believe that an undertaking should be allowed to take calculated risks and, for example, inform its owners that in certain circumstances the company would need to ask for more capital from the owners to secure its future as a going concern. Article 45 of the Directive has the following content describing the ORSA. Article 45 Own risk and solvency assessment 1. As part of its risk-management system every insurance company and reinsurance company shall conduct its own risk and solvency assessment. That assessment shall include at least the following: (a) the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the company; (b) the compliance, on a continuous basis, with the capital requirements, as laid down in Chapter VI, Sections 4 and 5 and with the requirements regarding technical provisions, as laid down in Chapter VI, Section 2; (c) the significance with which the risk profile of the company concerned deviates from the assumptions underlying the Solvency Capital Requirement as laid down in Article 101(3), calculated with the standard formula in accordance with Chapter VI, Section 4, Subsection 2 or with its partial or full internal model in accordance with Chapter VI, Section 4, Subsection 3. 10
2. For the purposes of point (a) of paragraph 1, the company concerned shall have in place processes which are proportionate to the nature, scale and complexity of the risks inherent in its business and which enable it to properly identify and assess the risks it faces in the short and long term and to which it is or could be exposed. The company shall demonstrate the methods used in that assessment. 3. In the case referred to in point (c) of paragraph 1, when an internal model is used, the assessment shall be performed together with the recalibration that transforms the internal risk numbers into the Solvency Capital Requirement risk measure and calibration. 4. The own-risk and solvency assessment shall be an integral part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the company. 5. Insurance and reinsurance companys shall perform the assessment referred to in paragraph 1 regularly and without any delay following any significant change in their risk profile. 6. The insurance and reinsurance companys shall inform the supervisory authorities of the results of each own-risk and solvency assessment as part of the information reported under Article 35. 7. The own-risk and solvency assessment shall not serve to calculate a capital requirement. The Solvency Capital Requirement shall be adjusted only in accordance with Articles 37, 231 to 233 and 238. 2.1 Overall solvency needs with respect to risk profile, risk tolerance limits and business strategy Within the given planning horizon (e.g. 3-5 years) the insurer should perform a projection of its overall solvency needs reflecting its risk profile, risk tolerance limits and business strategy. This projection may be made using a company specific model. The model could be based on stochastic simulation techniques or it could be a simple deterministic projection combined with predefined stress tests. As the ORSA process should be an integral part of an insurer s business strategy it is important that these projections are also made as a part of the insurers strategic planning. 11
In its ORSA an insurer should consider all material risks that may have an impact on its ability to meets its obligations to policyholders, including a consideration of the impact of future changes in economic conditions or other external factors. 1 The following risk could be considered material for most insurers and should receive management attention. These risks are not only the risks considered under pillar 1: Market risks, Insurance risks, Counterparty default risks, Operational risks. but also risks like: Liquidity risks, Management risks, Future earnings risks, Legal risks, Social changes, Economic cycles, Technological changes, Reputational risks, Political risks. The projections of solvency needs should not only be made given a status quo situation but also given likely changes to risk profile, risk tolerance limits and business strategy over the projection period and sensitivity to assumptions used. A significant change in the risk profile of the insurer should prompt it to undertake a new ORSA 2 1 IAIS Guidance Paper on enterprise risk management for capital adequacy and solvency purposes, section 42 2 IAIS Guidance Paper on enterprise risk management for capital adequacy and solvency purposes, section 42 12
The need for more detailed analysis of the overall solvency needs becomes particularly necessary in the following situations: Start up of new lines of business, Major changes in risk tolerance limits and / or reinsurance arrangements, Aggressive acquisition strategy to win new markets shares, Acquisition of other insurers and / or portfolios, Aggressive strategy to improve risk profile of existing portfolios, Major changes to premium levels (increase or decrease), Disposal of existing portfolios, Major changes to capital distribution (e.g. payment of dividend / bonus or repurchase of own shares) or injection of new capital, Major changes in assets-mix, Major external changes in risk factors like insurance risks or markets risks, Major changes in business conditions as competition, legislation and legal practice. 2.2 Continuous compliance with capital requirements and requirements regarding technical provisions It is clear from the directive that the ORSA process shall not serve to calculate a capital requirement. This is important when interpreting how firms should ensure continuous compliance with the capital requirements and technical provisions. Some may argue that the management, when performing the ORSA process, should ensure that the insurer holds sufficient capital to meet the SCR requirement through the projection period. This should mean that for a given e.g. 5 year planning period the amount of company capital at the beginning of the planning period should be sufficient to ensure a minimum probability of 97,52 % to meet the SCR at the end of the planning period. However this argument would automatically lead to the calculation of a capital requirement and be against the intention behind the directive. It would therefore be relevant to introduce the term economic capital along with regulatory capital where the latter term means Solvency Capital Requirements (SCR) and Minimum Capital Requirements (MCR). 13
The term economic capital has been defined as the capital needed by the insurers to satisfy its risk tolerance and support its business plans which is determined from an economic assessment of the insurer s risks, the relationship between them and the risk mitigation in place 3 Although many insurers apply stochastic projection methods in their planning process, and actually calculate a number for their economic capital and / or ruin probability over the projection period, these numbers should be the outcome of the ORSA process. However management should have a clear plan for continuous compliance with capital requirements and technical provision requirements. We could call this the insurer s capital plan. In this plan the insurer should demonstrate that, over the given projection period, it should be able to generate the economic capital required to support its business plans. The economic capital may be generated by: Future earnings, Injection of capital, Taking up subordinated loans, Sales of business activities. This capital plan should be regularly reviewed and revised as part of the ORSA process and may also include: Securing technical skills within the insurers organisation to perform the calculation of capital requirements and technical provisions requirements, Establishing early-warning indicators for potential future breaches of capital and technical provisions requirements, Strategy for continuous contact with capital markets, major shareholders and banks, Contingency capital plan in case the insurer may not be able to meet capital and technical provisions requirements. The contingency plan may include: o Short-term change of risk profile, o Information to supervisors, major shareholders and banks, o Raising of new capital from major shareholders, banks and capital markets, o Sale of business activities, o Merger with other institutions. 3 IAIS Guidance Paper on enterprise risk management for capital adequacy and solvency purposes, section 35 14
During this part of the ORSA the actuarial function should confirm that the capital plan is consistent with the insurer being able to comply with the technical provision requirements. 2.3 Assessment of risk profile compared to standard formula or internal model We understand this element of ORSA to be an assessment of the insurer s current risk profile compared to the standard formula or internal model. We discuss this assessment in detail in appendix 1. In this section of the document we would like to emphasise the following: For companies using the standard formula, evaluate the appropriateness of applying the standard formula (Ref: Art 45, par 1 (c) and art 103 111) by Describing the risk profile of the company, giving reasons why the application of the standard formula is appropriate for the company (although it is unclear to us whether the presumed risk profile behind the standard formula has yet been defined), including a ranking of the risk modules by their importance to the company s specific situation, Analysing the sensitivity of the standard formula to changes in the risk profile, including the influence of reinsurance programs, diversification effects and the effects of risk mitigation techniques, Elaborating on the appropriateness of the standard formula parameters, or a replacement of a subset of them according to art 104.7, the data sources used in the standard formula and processes for updating the assumptions, Explaining why the nature, scale and complexity of the risks justify simplifications to the standard formula, showing the simplifications are used in line with art 109 and showing that the simplified calculations have been calibrated in accordance with Article 104.4, Analysing how the model is used and its impact on the decision making in the company including how the results of the model are compared to reality. For companies applying a full or partial internal model, evaluate the appropriateness of applying an internal model (Ref: Art 45, par 1 (c) and art 112-127) by Providing a complete description of and motivation for the model at the time of its initial adoption. Ensuring regular monitoring (or in case of specific events) within the ORSA process and providing information of any external review/audit to support that the (partial) internal model always valid and whether the model is being used within the business as was intended when it was originally adopted. This monitoring should update the information on which risks are to be modelled by the internal model, which are not and update the 15
motivation for these choices. The monitoring should also explain how the risk categorisation within the model explains the causes and sources of profit and loss, Describing possible data sources not used and motivating why they are not used, Analysing the appropriateness of the statistical methods used, Analysing the performance of the internal model, suggesting areas needing improvement, and updating progress to improve previously identified weaknesses, Confirming the appropriateness of the standard formula sub-modules or the appropriateness of the internal model when they are applied in a subset of the insurance undertaking s business units, Regularly monitoring (or in case of specific events) that the internal model meets the requirements (appropriateness of the design and operations, and that the internal model continues to appropriately reflect the risk profile of the company), Evaluating the policy for changing the internal model Ensuring that the model passes the use test, Analysing how the model explains the actual sources of profits and losses and whether they are within agreed tolerance levels given the calibration of the model, Running the internal model on relevant benchmark portfolios, using a different time period or risk measure, or using assumptions based on external rather than internal data in order to verify the calibration of the internal model, Analysing circumstances under which the internal model does not work effectively. 2.4 Issues on proportionality At a seminar in Helsinki in March 2010 the Head of Insurance and Pensions Unit in EC, Karel van Hulle has described the proportionality principle as follows: Applies to all three pillars, i.e. quantitative requirements, qualitative requirements and disclosure, Applies also to the exercise of supervisory powers, Objective: ensure that the regime is not too burdensome for small and medium sized enterprises (SME) by taking account of their nature, scale and complexity. As examples on where the proportionality principle may be applied, according to the directive, Mr. van Hulle mentions: 16
Simplifications in the standards formula (article 109 and 111), Use of company specific parameters (article 104 and 110), Use of partial internal model (article 112), Governance functions (article 41), General principles of supervision (article 29). Application of the proportionality principle to the ORSA would require that the nature, scale and complexity of the risks inherent in its business are allowed for. As we mentioned above the ORSA process is a core element of any insurer s ERM. We therefore think that some caution should be taken in applying the proportionality principle to the ORSA process. Application of the proportionality principle should never free the management from their responsibility for undertaking a proper ERM. The ORSA process should naturally contribute to increase the company s awareness of the interrelationships between the current risk exposure, future risk exposure and internal capital requirements resulting from these risks. However we see that proportionality could function in three ways for the ORSA process: The ORSA process should not mean that proportionality applied elsewhere, especially in pillar I, would be overturned/cancelled with additional or tougher requirements, The ORSA process should be understandable and proportionate to the risks facing the company, As a feedback loop: the process should validate whether the principle of proportionality is applied in a sound manner and properly enables the company to identify the risks it faces in the short and long term and to which it is or could be exposed. As the ORSA is part of the governance function it should be subject to the proportionality principle. It is our opinion that the proportionality principle would only rarely be applied to the whole of the ORSA process but may more frequently be applied to parts of the ORSA based on the nature, scale and complexity of the insurer s business. We believe that the elements of the ORSA that are most relevant to the insurers business should never be exempted from the ORSA by applying the proportionality principle. It may be reasonable to promote an approach where the extent of the ORSA process is dependent on the company s current and future situation. 17
In section 2.1 we have listed a number of cases where a more detailed analysis of the overall solvency needs of the insurer may be more relevant. Proportionality in the ORSA process may typically be applied when the cases listed in section 2.1 are not relevant, e.g.: The insurer s risk profile, risk tolerance limits and business strategy are expected to remain unchanged during the planning horizon, The insurer is well capitalized and it would be very unlikely that the insurer would not meet its capital requirements, The insurer s risk profile is stable and assumed to be easily compared to standard model or internal model, The insurer is not planning any major changes to its business mix or acquisition strategy, No major changes in general business conditions, such as competition, legislation or legal practice, are expected. We would like to give some examples of cases where the proportionality principle may be applied to specific elements of ORSA given that the conditions above are fullfilled: A small local P/C insurer with short-tail business (e.g. local insurer), A P/C insurer with short-tail business (e.g. motor vehicle), A P/C insurer with many but small claims processed in a highly automatic way (e.g. reimbursement of medical expenses, like pharmacy, dental etc ), A life assurer providing one year risk products, A unit-link insurer. The proportionality principle may also be applied when discussing the optimal organization for an insurer. For smaller insurers it may e.g. not be possible to implement a separation of the actuarial function or risk management from operational units. As mentioned above the need for caution in applying any proportionality principle to the ORSA process is important to ensure that the unique risks of an individual undertaking get properly reviewed and considered. However, the sheer scale and size of what the ORSA should cover is daunting to many small undertakings and captives. We would suggest that the level 3 text should put forward suggestions on this matter. We would envisage the level 3 text explaining that the analysis, assessments and arguments concerning the undertakings nature, scale and complexity of its risks should dictate the proportionate approach taken by the relevant regulatory authority. It is always up to the management to prove in its ORSA that proportionality should apply. 18
2.5 Issues on internal model In their paper the IAIS discusses the use of an internal model for the ORSA. We would like to quote two statements from this discussion: When used for ORSA, the insurer s internal model is likely to be calibrated on the basis of defined modelling criteria which the insurer believes will determine the level of capital appropriate to meet its business plan and strategic objectives, 4 An internal model used by an insurer in the context of its ORSA for determining its own economic capital needs should not need supervisory approval for that purpose. However, an insurer would be expected to review its own internal model and validate it so as to satisfy itself of the appropriateness of the model for use as part of its risk and capital management processes. 5 We agree with the points made by the IAIS and interpret these in the way that an internal model used for ORSA should be reconcilable with any internal model approved by the regulator for the calculation of SCR within the first year of the projection period. However referring to our discussions under point 2.2 the model used for ORSA should not necessarily be a replication of the model used for SCR for each of the subsequent projection years. Setting the model scope: We would envisage the ORSA being used to define the risk profile of the firms and consider all risks incident on the insurance undertaking. We would envisage that the ORSA would assess the features of each risk including: The degree of materiality of the risk: o In section 2.1 we have defined material risks as risks that should come to the management s attention. We may quantify this definition and define material risks as those risks that, when included, change the risk capital beyond the level of materiality. We would expect the level of materiality to be consistent with the level of materiality used in the annual accounts and taking into consideration the uncertainty in the measurement of the risk. Material risks could be expected to include the main risks for the product lines and assets that an insurer had on its books, 4 IAIS Guidance Paper on enterprise risk management for capital adequacy and solvency purposes, section 50 5 IAIS Guidance Paper on enterprise risk management for capital adequacy and solvency purposes, section 54 19
o o Clear examples of material risks are those risk factors which when moved have the most effect on the own funds. If moving a risk factor to its 99.5% point doesn't result in a move in Own Funds in excess of the level of materiality one would expect a risk to be immaterial, Less clear areas are the following where more attention needs to be paid: Where a risk is immaterial on its own but could become material when other risks move at the same time, Where a risk appears to be immaterial but which has a high degree of uncertainty over its measurement, Where a risk is immaterial at a group level but material at solo level. The extent to which the risk is quantifiable: o We interpret quantitative risks as being those risks that can be measured sufficiently accurately using quantitative techniques, o Quantifiable risks could, for example, exclude certain types of low frequency high impact operational risks which almost wholly rely on expert judgement for their estimation, o Whether a risk is quantifiable will depend on to what extent a risk can be sensibly quantified. A quantifiable risk could be interpreted as a risk for which: Good quality data is available to quantify the risk, Some data supplemented by a defensible model is available. o A defensible model could be a model that can be defended through expert judgment to be representative of a risk, o Where no data or defensible model is available a risk could be considered non-quantifiable and therefore one would need to consider what treatment it should have under the internal model. We would envisage that the ORSA explains how the undertaking would treat each material and quantifiable risk and highlight risks not being treated. Risks that were both material and quantifiable could be treated using capital or risk reduction techniques. Some risks may be quantifiable and material but may still be better treated using risk management processes rather than capital e.g. Liquidity Risk could be quantifiable and material e.g. through liquidity (reverse) stress tests but may be better treated with a robust liquidity policy overseen with a good governance structure. For unquantifiable risks, just holding capital may not be the best way to mitigate the risk. Indeed holding capital against unquantifiable risks may falsely imply that the risk has been treated and avoid its proper inclusion in the risk management framework. Where capital is not held against a 20
risk however there would be a responsibility on the insurer to have a comprehensive plan for dealing with that risk. The plan should be maintained in the overall risk mitigation plan of the insurer and evidence should be available that the risk is monitored and the plan is being actively used. Reputational risk is an example of a risk that is non-quantifiable and which is better treated with good governance and risk management than capital. Non-quantifiable risks may be treated with some amount of capital because it is recognised that even a well formed risk management and governance system will not be able to fully protect against losses. For example reputational risks are often best treated using the risk management system but there will be some residual element of reputational risk that the insurer remains exposed to and capital may be held against this. Non-material risks could be excluded entirely albeit there would have to be assurance that the aggregated non-material risks did not sum to a material risk. Special care would need to be taken if the non-material risks co-varied positively as this could lead to a material risk. Uncorrelated non-material risks could diversify to a constant loss which would still need to be accounted for, albeit it would not be a risk. We would envisage that an approved internal model framework is used for the quantifiable and material risks in the ORSA. However we could envisage a potential conflict between re-use of the internal model for the ORSA if model features or the model calibration reflects supervisor requirements vs. the choice of the company management. Where an undertaking disagreed with the calibration required by their supervisor we would envisage that insurers could use the model calibration of their choice for the ORSA to facilitate the Use Test and ensure it truly reflected the management view. For example there could be a part of the internal model which the management were comfortable with but which a supervisor had not approved. In such cases the insurer may have been required to use a partial internal model and may have a risk module and correlation structure imposed on them by their regulator. In such instances it may be inappropriate to set future business plans or strategic decisions on a longer term than one year based on a model that was not the choice of the management. We would however envisage that the insurer would need to report the differences in the calibration and the reasons for the deviations from the internal model approved by the regulator. We believe these differences, the justifications and the discussions would be instructive for the regulator and the insurer. 2.6 Issues on groups The Implementing Measures for Supervision of Group Solvency for Groups with Centralised Risk Management paper (former CP 66) was released on 29 January 2010 and details some aspects of the ORSA process to be considered at Group Level (1.13, 3.27, 3,53 and 3.87). The directive also mentions this in article 246 (4). 21
Based on the Level 2 paper CP66 (1.13) and as stated in article 246 (4) of the directive, groups have the opportunity to apply for a single group wide ORSA process independently of having applied for a centralised risk management as well. On the other hand, subsidiaries retain responsibility for implementing all the requirements stated in article 45 consistently to allow for control at the group level. The EU financial supervision reform and the final outcome in respect of the relationship between the Group Supervisor and its subsidiaries Supervisors is going to be important. The reforms will be key to ensuring the appropriate simultaneous implementation of the ORSA at the group Level and in all the undertakings included in the scope of the group., Without simulataneous and consistent implementation some inconsistencies might arise in the case of the individual undertaking and they could be approached directly by their supervisor. This approach would need to be coordinated with the Group supervisor. Specific guidance on how to manage the relationship among supervisors and between the group supervisor and the subsidiaries supervisors should be provided in level 3. For effective capital management within a group we believe there is a need for a uniform approach to economic capital and a uniform approach to optimal capital allocation. However the optimal allocation of capital should also take into account fungibility and transferability (including transaction costs and tax issues). The CRO Forum defines fungibility and transferability as follows: Fungibility: When two or more things are inter-changeable or can be substituted for each other to achieve the same E.g assets held by different entities may be fungible if it is possible to effect a transfer into the same entity Transferability: Ability to move assets (or liabilities) from one ownership to another, this is often implicitly or explicitly within a given time frame. As part of the ORSA process the group should test extreme scenarios to understand how fungibility and transferabilty would work in these situations and also the importance of the time frame. An understanding and management of the fungibility and transferability of capital is a core part of a group s risk management framework. 3 Role of the Actuarial Function as defined in article 48 in the ORSA process The Actuarial Function is described in the directive s article 48: 22
Article 48 Actuarial function 1. Insurance and reinsurance companies shall provide for an effective actuarial function to: (a) coordinate the calculation of technical provisions; (b) ensure the appropriateness of the methodologies and underlying models used as well as the assumptions made in the calculation of technical provisions; (c) (d) (e) assess the sufficiency and quality of the data used in the calculation of technical provisions; compare best estimates against experience; inform the administrative, management or supervisory body of the reliability and adequacy of the calculation of technical provisions; (f) oversee the calculation of technical provisions in the cases set out in Article 82; (g) (h) express an opinion on the overall underwriting policy; express an opinion on the adequacy of reinsurance arrangements; and (i) contribute to the effective implementation of the risk-management system referred to in Article 44, in particular with respect to the risk modelling underlying the calculation of the capital requirements set out in Chapter VI, Sections 4 and 5, and to the assessment referred to in Article 45. 2. The actuarial function shall be carried out by persons who have knowledge of actuarial and financial mathematics, commensurate with the nature, scale and complexity of the risks inherent in the business of the insurance or reinsurance company, and who are able to demonstrate their relevant experience with applicable professional and other standards. 23
3.1 Contribution of the actuarial profession to the risk management function as defined in article 44 Many members of the actuarial profession are today working outside of the scope of the actuarial function as defined in the directive and our comments in this section may therefore be seen as a description of where the actuarial profession may contribute to the implementation of the Solvency II regime. The actuarial profession possesses a special competence with respect to actuarial mathematics, financial mathematics, mathematical statistics and elements of economics and law relevant for insurance. This unique set of qualifications is uniform for members of the profession and is described in Groupe Consultatif s Core Syllabus. Seen in the context of the directive the skill set of the actuarial profession are today typically used within three different areas: Within the actuarial function on tasks as: o Issues regarding calculation of technical provisions, o Review of underwriting policy and reinsurance arrangements, o Implementation of risk management system and risk modelling with respect to calculation of capital requirements. Within the risk management on tasks as: o Risks included in the calculation of the SCR: Underwriting and reserving, ALM, Investments, Liquidity and concentration, Operational, Reinsurance and risk-mitigation. o Partial or full internal models: Design and implementation, Test and validation, Documentation, Follow-up. 24
Within other fields of the insurer s organization with tasks as: o Product development, o Pricing, o Customer segmentation, o Business intelligence. We particularly believe that the actuarial profession can provide an essential contribution to risk management as described in the directive and the draft implementing measures. Members of the profession are today involved in the risk management functions of many companies. The members core responsibilities are typically risks as insurance risks, market risks or counterparty default risks related to reinsurers. Many actuaries are also involved in the development of internal models. The many different tasks for the actuarial profession within an insurer s organisation may create a problem. It is our belief that those actuaries working within risk management or in the actuarial function should have a sufficient level of operational independence. This could be solved as long as the person in e.g. the actuarial function is not responsible for task related to e.g. product development and pricing. In many companies this is solved differently because not all actuaries are located in the actuarial function but also in line management / underwriting business units. The principle of proportionality should of course also be considered in this respect. 3.2 Contributions of the actuarial function as defined in article 48 to the ORSA process The actuarial function can contribute to the ORSA process given its quantitative understanding of insurance risks and also other quantifiable risks like market risks and counterparty default risks. Actuaries are respected as leaders in quantitative understanding of insurance risks. Moreover, the role of the actuaries is central in asset liability management especially related to participating business or products with embedded options. One way of thinking about this is to envisage that the actuarial function may convey to the administrative and management body information about risk exposure (and especially insurance risk exposure) at least equivalent to that which the same body would expect in relation to the portfolio of a company it was thinking of acquiring. The output from such a due diligence exercise might include: Commentary on sources of business and potential implications for level, trend and volatility of future experience, 25
Commentary of the size of the portfolio and homogeneous risk groups within the portfolio and the similar implications, Description of the history of the evolution of the portfolio with assessment of implications, Distribution by case size within the portfolio with commentary on average and dispersion, Description of relevant contract terms general, special features, potentially onerous insurability options, renewal guarantees, etc, Commentary on reserve risks, particularly on: Discounting effects, Run-off patterns for long-tail business. Commentary on company s asset allocation and potentially hedging of insurance liabilities, particularly: Hedging of interest rate risks, Commentary on claims policy/processes and any implications, Commentary on reinsurance policy and implications, Commentary on underwriting policy/processes and implications, Consideration of possible risk concentrations geographic / occupational and any consequent catastrophic exposures, Past experience and any variations or trends in that experience with reasons / implications, Any other special features. 26
APPENDIX: In the appendix we have provided: A detailed description of the content of ORSA as described by IAA, A detailed description of the contributions of the actuarial profession to the ORSA process as described by IAA, A table comparing the concepts of Article 45 and the IAA framework. We will argue that by using the IAA framework we have been able to address all the requirements of the ORSA as outlined in Article 45. APPENDIX 1: CONTENT OF THE ORSA PROCESS AS DESCRIBED BY IAA Feature 1: Governance and Enterprise Risk Management Framework The IAA framework describes this feature as follows: As part of its overall governance structure, an insurer should establish, and operate within, a sound ERM framework which is appropriate to the nature, scale and complexity of its business and risks. The ERM framework should be integrated with the insurer s business operations, reflecting desired business culture and behavioural expectations and addressing all reasonably foreseeable and relevant material risks faced by the insurer in accordance with a properly constructed risk management policy. The establishment and operation of the ERM framework should be led and overseen by the insurer s board and senior management. For it to be adequate for capital management and solvency purposes, the framework should include provision for the quantification of risk for a sufficiently wide range of outcomes using appropriate techniques. It is our opinion that this feature addresses point 1 (a), 2 and 4 in Article 45. Suggested content of ORSA: Review the application of Enterprise Risk Management (ERM) in the management of the business and, in particular, review how ERM has been embedded in the strategic, operational and risks management processes. This can be done by: o Ensuring that the supervisory authority can easily review the application of ERM as part of the supervisory review process (SRP) by documenting it according to specified requirements, 27
o Performing a regular assessment of the processes around ERM by people that have not been involved in the processes under review and who are thus able to provide an independent assessment. The independent review can come from an external or internal assessment. Evaluate whether the company has in place an adequate system of governance taking into account the specific risk profile of the company, Review how ERM is used in business planning / management and particularly when dealing with new activities, Review the ERM processes, the responsibilities of key personnel involved in the processes and the independent assessment and internal reporting of ERM, Review performance management and reward systems and ensure that these include a recognition or inclusion of a risk management component, Review that a proper risk management culture is in place, Review the complexity/riskiness of the company and provide background to how risks have been assessed and significant or no significant. This might be a mechanism for introducing proportionality, Evaluate that the company has in place an adequate system of governance taking into account the specific risk profile, the business strategy of the company and the proportionality principle. In particular, evaluate the compliance with the governance requirements in the directive and in the implementing measures: General governance requirements (Art 41), Risk management systems (Art 44), Internal control framework (Art 46), Fit and proper requirements (Art 42), Compliance function (Art 46 par 2), Internal audit (Art 47), Outsourcing (Art 49), CEIOPS Advice for Level 2 Implementing Measures on Solvency II: System of Governance (CP 33) and the corresponding draft of the IM document. Feature 2: Risk Management Policy The IAA describes this feature as follows: 28