To support Solvency II compliance, (re)insurers need to implement rigorous corporate governance programs that address all areas of the company, from the tone and activities of company leadership through granular risk and capital management activities. Consistent with the principles of ERM, the corporate governance framework should define a clear and robust organizational structure - including an adequate operational structure, the clear allocation of tasks and responsibilities, organizational transparency and efficient information systems across all business activities. The structure should delineate a clear separation between the risk management function and the audit function. There should be a clearly apparent independence of the two functions from each other. Management’s responsibilities must be evident.
Four Core Functions
Under Solvency II’s Pillar Two, corporate governance consists of four core functions:
- Risk management
- Internal audit
- Internal controls.
Risk management: This function is comprised of underwriting and reserving, asset and liability management (ALM), investment, liquidity and concentration - all explicitly for reinsurance and other risk mitigation and transfer techniques. Carriers are forced to embed reinsurance into the risk management process. The process should include defining risk appetite and implementing a limit system with reinsurance (for both treaty and facultative) as instrumental to managing underwriting limits.
Even though reinsurer concentration is typically discussed regarding Pillar One, for example, the issue of capital requirements to cover counterparty default risk is equally important to evaluate in terms of risk management under Pillar Two. It is especially important if a company’s limit system, derived from its risk appetite, involves a maximum limit per reinsurer or a band of default probabilities. Another equally important element regarding reinsurer concentration involves a limit system derived from market risk. This may apply, for example, to maximum equity holdings in a reinsurer counterparty or loans with a specific reinsurer.
Actuarial: This function is comprised of methodologies and procedures to assess the sufficiency and uncertainty of technical reserves, among other concerns. Carriers will need reliable and deep actuarial support (particularly from reinsurance intermediaries), with tested superior tools used to identify and model risk for prudent capital allocation as well as management decisions.
Internal audit: This function must be kept independent within the organization.
Internal controls: These are used to ensure the effectiveness and efficiency of the company’s operations regarding its risk and the availability and reliability of information and compliance with relevant regulations.
Under Pillar Two, affected (re)insurers are permitted to outsource operational functions as well as insurance and reinsurance activities. Catastrophe modeling exercises are included in this area because the results may serve as input for internal models or actuarial analysis. Nonetheless, the company remains ultimately responsible for those functions, as outsourcing itself does not provide any compliance risk mitigation benefit. Additionally, the service provider engaged in outsourced activities on behalf of a (re)insurer must be knowledgeable about the processes it executes - such as documentation - in order to provide the necessary risk management and control systems for its (re)insurer client.
Own Risk and Solvency Assessment
Solvency II’s Pillar Two includes a requirement that every company conduct its “own risk and solvency assessment” (ORSA). This includes a regular assessment of the company’s solvency needs and its compliance with those needs going forward. The (re)insurer should highlight areas where the assessment deviates significantly from its SCR assumptions. Where an internal model has been used, it should recalibrate in a way that transforms the internal results to make them consistent with the SCR calibration.
ORSA requires companies to implement proper processes for identifying and quantifying their risks in a coherent framework. The companies will also need to demonstrate that the assessments are integrated into their strategic decision-making processes and are not merely “check-the-box” exercises.
Importantly, the ORSA serves as the link between the quantitative Pillar One and the more qualitative Pillar Two by requiring (re)insurers to self-evaluate their capital needs and embed the results in daily management operations and decisions. For companies that already use internal models, this exercise is likely to lead to stronger alignment of internal models used for value-based management with the results they submit for regulatory purposes. (Re)insurers using the standard approach will find that ORSA makes them go beyond the pure standard approach in the assessment of their solvency.
ORSA is also likely to help (re)insurers optimize their underwriting and reinsurance processes by linking the entities’ risk profiles, risk tolerances and business strategies to the overall capital needed. Information used for the development of the standard formula or an internal model has to be complete, pertinent, precise, traceable and auditable, according to Solvency II guidelines. The process of securing and using data has to be clear and integrated into the development of the standard formula or internal model. After all, defining risk tolerance and risk metrics are among the primary challenges most companies will face in complying with Solvency II - and it is a prerequisite.
The Internal Model Approval Process
Under Pillar Two, internal model approval and use - as an alternative to using the standard formula to determine a company’s SCR - is an end-to-end undertaking. Rather than being limited to model development and implementation, approval extends to reporting internal model results sufficiently. Consequently, a rigorous, integrated process is necessary for meeting the requirements of the directive.
When a (re)insurance company submits an internal model - full or partial - to the appropriate regulator for approval, it should be accompanied by the results of the company’s most recent ORSA, as this will reflect the end-to-end nature of the Solvency II internal model approval requirement. Additionally, a justification for the rationale underlying the internal model will be necessary, along with a self-assessment of its readiness. Companies will have to demonstrate that the measures and processes regarding the structure and completeness of the models have been in place for a reasonable period prior to the application submitted to regulators - and that the model has been used as an authoritative instrument for a reasonable period.
The scope of the model will need to be defined in the formal application, including a summary of the company’s strategies for risk management and the business as a whole. The carrier will have to demonstrate that it understands the sources and nature of the risks it has identified, with a qualitative description and the exposure measurement for each risk. Also, the self-assessment process will likely require the inclusion of technical details, such as scope, design, build, integrity and details on the model application. Specifically, it should address the reconciliation process to assure accuracy of input data and transfer to the internal model.
Ultimately, the technical environment used for internal modeling and Solvency II compliance must be tested based on reasonableness, accuracy, completeness and comprehensiveness. Additionally, the self-assessment should show that the model and its output are appropriate to the company’s risks and operations. The process’s limitations and shortcomings should be identified, along with steps to address them.
What will the regulatory organizations want to see? Primarily, they will be looking at the scope and coverage of the internal model, methodology and documentation, data quality, quantitative procedures, qualitative procedures and the technical environment. They also will want to examine the use of catastrophe models from external firms, as long as they are noted for the regulators.
During the approval process, companies will need to detail for the regulators the types of changes expected in the model. Two levels of changes are defined. Minor changes are those that will not require full approval of the model. Major changes to the model require the company to submit the model and modeling process details as if it were a new model.
There are no exemptions to the approval criteria for carriers using models or data from external vendors. The company will still need to demonstrate suitability for use in an internal model.
Catastrophe Modeling Documentation Requirements
The documentation of catastrophe model functionality and development details are a crucial part of Solvency II compliance, irrespective of the use of a full or partial internal model (see Figure 1). Examining regulators will ensure that all necessary information has been captured to demonstrate that the catastrophe modeling software is of sufficient quality and it functions correctly. Further, they are likely to require a record of appropriate model usage for the determination of capital requirements.
New model releases and upgrades over the years are likely to pose challenges, as the results might change significantly and thus require updated internal modeling approaches and changes in documentation. If the modifications are vast enough, the carrier may need to submit the model and attendant processes to regulators for approval anew.
Model results are driven by the accuracy of the underlying components and data. The model developers and vendors control the quality of each component. Thus, components can vary significantly by country and peril. Under Solvency II, the (re)insurer is still responsible for providing sufficient documentation to the appropriate regulatory authority.
Model documentation for regulatory approval should follow a strict methodology that reflects key factors. These include the use of any external vendors, the company’s procedures for managing risk and capital and the specifics of the model’s upgrade or release roadmap. It should outline how the probabilistic catastrophe model components and output fulfill the quality requirements under Solvency II for corresponding markets and perils.
Beyond the model itself, carriers will be expected to show full documentation on how portfolio data was processed and subsequently used in catastrophe models. The major subjects to be covered include:
- Date and completeness of raw data
- Currency, units and rates of exchange archive
- Data cleansing
- Total insured value (TIV) summary by line and coverage
- Geocoding levels and changes (year to year)
- Portfolio data changes (year to year)
- Assumptions on splits and missing data
- Application of policy information (deductibles and limits)
- Parameter setting and mapping
- Results and result changes (year to year)
- Reasonability checks of results (historic losses)
The obligation of the carrier to provide thorough documentation to the regulator may be hampered by the fact that a vendor may treat the modeling components it has created as intellectual property. W hen this is the case, the (re)insurer may not have full access to all model details. C onsequently, a carrier’s catastrophe modeling analyst will be able to provide a high-level summary of the catastrophe model technology based on the information that the vendors have shared with the public. F urther, a major part of the information required pertains to how the carrier uses the vendor’s technology, including its use of controls with historical events and stress testing to quantify the impact of key features (and limitations) of each component (see Table 1).
Catastrophe model vendors and regulators encourage companies to apply stress tests and sensitivity analyses to validate procedures as a way to better understand risk and uncertainty.