Solvency II and Risk Management

Part 3: Practical Guidance to Risk Management

Part 1 |Part 2 |Part 3 | Part 4

What are the main challenges?

Implementing good risk management and complying with Solvency II will be a journey. Stage 1 is meeting the regulatory requirement; the approach to risk within the business is the bedrock for doing so. Further improvements and the real business benefits will come later. The important thing is to do things in a logical order. Have the main principles in place early, but do not make the mistake of diving into the detail too soon. 

The balancing act
It is neither possible nor desirable to enter into a zero risk regime - the challenge is to balance risk and reward within the business; sometimes it will correct for (defined and managed) business risk to go up rather than down. And the role of the Chief Risk Officer itself is very much a balancing act. Depending on the company structure, the first issue may be to establish exactly what that role is, what s/he is accountable for and how it fits into the rest of the organisation. In particular, the interfaces with other group functions such as finance, compliance, internal audit and actuarial will need to be clearly defined and practical approaches established. 

• Finding a balance between group, business unit, territory and subsidiaries. Different models for this exist, which depend on the underlying culture within the organisation. For instance, those with a strong centralised or ‘command-and-control’ culture tend to have risk frameworks biased towards group functions whereas those that encourage more local autonomy tend to have greater responsibility for risk management at the local level. 

• Getting the right, good quality data into the risk systems. Typically, this data is spread throughout the organisation with little co-ordination, consolidation or reconciliation. Operational data is frequently missing or just incorrect. This has been a particular problem with Basel II, which requires a robust data and MI architecture. Evidently, if the data is wrong, it will be very difficult to have a realistic assessment of the risks. 

• Balancing risk, reward and cost. Requires an intimate understanding of the company’s goals, objectives and drivers for value, taking into account the value of improved risk management and the cost of both implementation and ongoing management.

• Company culture. The company culture can be either a positive or a negative influence. Cultural norms have evolved over many years and the CRO needs to identify which parts are positive and which will need to be changed. Changes in culture can take a long time and demand a lot of effort and incentives. The risk management approach and implementation will need to take account of both the current and target culture of the company.

• Avoiding a ‘tick box’ mentality. In the way regulatory compliance has often been approached in the past, staff will ‘go through the motions’ of complying with the regulations without really thinking about it. In many cases, boxes will be ‘ticked’ automatically. For risk management to be effective, all staff must remain conscious, at all times, of the potential risks to the organisation from their actions and the actions of others around them.

• Creating the right level of documentation and procedures to make risk management effective within a successful business. Too much or too little will cause problems. The approach to the documentation and the procedures and controls need to be in tune, and consistent with the way business is done within the organisation. Trying to impose alien concepts will generally fail, as they will often be misunderstood, bypassed or forgotten. They will not become embedded within the business.

• Effective communication throughout the organisation. Good risk management requires everyone in the organisation to play their part. Each individual needs to know their role in the framework, how it relates to others’ roles and what it aims to achieve. They need to understand both the conceptual and the practical aspects – and they need to be kept up to date and have the message reinforced regularly – particularly during the implementation stages.

How to address these challenges?

• The Board must take ownership. It is essential that there is clear – in other words, visible and communicated – ownership, commitment and cultural direction from the Board.

• There must be company-wide buy-in. The risk management approach needs the active involvement and support of all business leaders and staff across the whole organisation. This requires a big communication effort, education and interactive discussions with all parts of the business. This needs to be sustained over a long period of time – there will be a need to absorb new concepts and the evolution of regulation and the need to engender and reinforce a consistent and robust message.

• The principles for risk management need to be agreed centrally for the whole organisation. As all parts of the group will contribute to the group’s risk profile and therefore capital position, there needs to be a high level of consistency.

• Risk assessment should be done at the local level (in other words, where the risk resides). There will need to be group-wide co-ordination and facilitation to ensure that one part of the business assesses risk in the same way as another. For instance, how will they measure likelihood? And what do they consider ‘material’?

• Operational Risk. Operational risk is the most pervasive and least well understood aspect of risk in insurance companies. To address it requires involvement across the whole organisation and is likely to take some time – and several cycles – to address.

• IT involvement is crucial to success. A well-designed and implemented data and systems architecture is the only real way of getting the robust, quality data and Management Information that is needed to assess individual – and especially correlated – risks across the organisation in a timely and consistent way.

• Overlapping and contradicting regulatory requirements. The UK had a period of implementing Basel II, Prudential Sourcebook, IFRS and the Insurance Mediation Directive all at the same time, creating serious difficulties for day-to-day running of the business. This type of situation may occur again in the next four years, in which case it may be advisable to create an integrated regulatory change programme to help deal with the issue.

 

Part 1 |Part 2 |Part 3 | Part 4