David Flandro, Global Head of Business Intelligence, Claude Lefebvre, Head of GC Analytics EMEA Region, Eddy Vanbeneden, Head of GC Analytics France and Benelux and Frank Achtert, Managing Director
To support Solvency II compliance, (re)insurers need to implement rigorous corporate governance programs that address all areas of the company, from the tone and activities of company leadership through granular risk and capital management activities. The corporate governance framework should define a clear and robust organizational structure - including an adequate operational structure, the clear allocation of tasks and responsibilities, organizational transparency and efficient information systems across all business activities. The structure should delineate a clear separation between the risk management function and the audit function. There should be a clearly apparent independence of the two functions from each other. Management’s responsibilities must be evident.
Four Core Functions
Under Solvency II’s Pillar II, corporate governance consists of four core functions:
- Risk management
- Internal audit
- Internal controls.
Risk management: This function is comprised of underwriting and reserving, asset and liability management (ALM), investment, liquidity and concentration - all explicitly for reinsurance and other risk mitigation and transfer techniques. Carriers are forced to embed reinsurance into the risk management process. The process should include defining risk appetite and implementing a limit system with reinsurance (for both treaty and facultative) - as instrumental to managing underwriting limits.
Even though reinsurer concentration is typically discussed in regards to Pillar I (i.e., capital requirements to cover counterparty default risk), it is equally important to evaluate in terms of risk management under Pillar II. It is especially important if a company’s limit system, derived from its risk appetite, involves a maximum limit per reinsurer or a band of default probabilities. Another equally important element regarding reinsurer concentration involves a limit system derived from market risk. This may apply, for example, to maximum equity holdings in a reinsurer counterparty or loans with a specific reinsurer).
Actuarial: This function is comprised of methodologies and procedures to assess the sufficiency and uncertainty of technical reserves, among other concerns. Carriers will need reliable and deep actuarial support (particularly from reinsurance intermediaries, for example) with tested superior tools used to identify and model risk for prudent capital allocation as well as management decisions.
Internal audit: This function must be kept independent within the organization.
Internal controls: These are used to ensure the effectiveness and efficiency of the company’s operations regarding its risk, the availability and reliability of information and compliance with relevant regulations.
Under Pillar II, affected (re)insurers are permitted to outsource operational functions as well as insurance and reinsurance activities. Catastrophe modeling exercises are included in this area because the results may serve as input for internal models or actuarial analysis. Nonetheless, the company remains ultimately responsible for those functions as outsourcing itself does not provide any compliance risk mitigation benefit. Additionally, the service provider engaged in outsourced activities on behalf of a (re)insurer must be knowledgeable about the processes it executes - such as documentation - in order to provide the necessary risk management and control systems for its (re)insurer client.
Own Risk and Solvency Assessment
Solvency II’s Pillar II includes a requirement that every company conducts its “own risk and solvency assessment” (ORSA). This includes a regular assessment of the company’s solvency needs and its compliance with those needs going forward. The (re)insurer should highlight areas where the assessment deviates significantly from its SCR assumptions. Where an internal model has been used, it should recalibrate in a way that transforms the internal results to make them consistent with the SCR calibration.
ORSA requires companies to implement proper processes for identifying and quantifying their risks in a coherent framework. The companies will also need to demonstrate that the assessments are integrated into their strategic decision-making processes and are not merely “check-the-box” exercises.
Importantly, the ORSA serves as the link between the quantitative Pillar I and the more qualitative Pillar II by requiring (re)insurers to self-evaluate their capital needs and embed the results in daily management operations and decisions. For companies that already use internal models, this exercise is likely to lead to stronger alignment of internal models used for value-based management with the results they submit for regulatory purposes. (Re)insurers using the standard approach will find that ORSA makes them go beyond the pure standard approach in the assessment of their solvency.
ORSA is also likely to help (re)insurers optimize their underwriting and reinsurance processes through data quality and control. Information used for the development of the standard formula or an internal model has to be complete, pertinent, precise, traceable and auditable, according to Solvency II guidelines. The process of securing and using data has to be clear and integrated into the development of the standard formula or internal model. After all, defining risk tolerance and risk metrics are among the primary challenges most companies will face in complying with Solvency II - and it is a prerequisite.
The Internal Model Approval Process
Under Pillar II of Solvency II, internal model approval and use - as an alternative to using the standard formula to determine a company’s SCR - is an end-to-end undertaking. Rather than being limited to model development and implementation, approval extends to reporting internal model results sufficiently. Consequently, a rigorous, integrated process is necessary for meeting the requirements of the directive.
When a (re)insurance company submits an internal model to the appropriate regulator for approval, it should be accompanied by the results of the company’s most recent ORSA, as this will reflect the end-to-end nature of the Solvency II internal model approval requirement. Additionally, a justification for the rationale underlying the internal model will be necessary, along with a self-assessment of its readiness. Companies will have to demonstrate that the measures and processes regarding the structure and completeness of the models have been in place for a reasonable period prior to the application submitted to regulators - and that the model has been used as an authoritative instrument for a reasonable period.
The scope of the model will need to be defined in the formal application, which will need to include a summary of the company’s strategies for risk management and the business as a whole. The carrier will have to demonstrate that it understands the sources and nature of the risks it has identified, with a qualitative description and the exposure measurement for each risk. Also, the self-assessment process will likely require the inclusion of technical details, such as scope, design, build, integrity and details on the model application. Specifically, it should address the reconciliation process to assure accuracy of input data and transfer to the internal model.
Ultimately, the technical environment used for internal modeling and Solvency II compliance must be tested based on: reasonableness, accuracy, completeness and comprehensiveness. Additionally, the self-assessment should show that the model and its output are appropriate to the company’s risks and operations. The process’s limitations and shortcomings should be identified, along with steps to address them.
What will the regulatory organizations want to see? Primarily, they will be looking at the scope and coverage of the internal model, methodology and documentation, data quality, quantitative procedures, qualitative procedures and the technical environment. They also will want to examine the use of catastrophe models from external firms, as long as they are noted for the regulators.
During the approval process, companies will need to detail for the regulators the types of changes expected in the model. Two levels of changes are defined. Minor changes are those that will not require full approval of the model. Major changes to the model require the company to submit the model and modeling process details as if it were a new model.
Catastrophe Modeling Documentation Requirements
The documentation of catastrophe model functionality and development details are a crucial part of Solvency II compliance, irrespective of the use of a full or partial internal model (see Figure 3). Examining regulators will ensure that all necessary information has been captured to demonstrate that the catastrophe modeling software is of sufficient quality and it functions correctly. Further, they are likely to require a record of appropriate model usage for the determination of capital requirements.
New model releases and upgrades over the years are likely to pose challenges, as the results might change significantly and thus require updated internal modeling approaches and changes in documentation. If the modifications are vast enough the carrier may need to submit the model and attendant processes to regulators for approval anew.
Model documentation for regulatory approval should follow a strict methodology that reflects key factors. These include the use of any external vendors, the company’s procedures for managing risk and capital and the specifics of the model’s upgrade or release roadmap. It should outline how the probabilistic catastrophe model components and output fulfill the quality requirements under Solvency II for corresponding markets and perils.
The obligation of the carrier to provide thorough documentation to the regulator may be hampered by the fact that a vendor may treat the modeling components it has created as intellectual property. When this is the case, the (re)insurer may not have full access to all model details. Consequently, a carrier’s catastrophe modeling analyst will be able to provide a high-level summary of the catastrophe model technology based on the information that the vendors have shared with the public. Further, a major part of the information required pertains to how the carrier uses the vendor’s technology, including its use of controls with historical events and stress testing to quantify the impact of key features (and limitations) of each component (see Table 1).
Catastrophe model vendors and regulators encourage companies to apply stress tests and sensitivity analyses to validate procedures as a way to better understand risk and uncertainty. Guy Carpenter’s GC Analytics℠ team typically conducts these analyses for (re)insurers.