By Raphael Borrel, Senior Manager at Deloitte LLP and Michel de La Belliere, Partner at Deloitte Conseil.
Solvency II is intended to radically change supervision of insurance within the EU. It will move Europe’s insurance supervision onto a modern, risk-sensitive platform far superior to that of the existing Solvency I regime. Meeting all the requirements of the Directive will however not happen overnight; hence many regulators have highlighted the need to start planning for implementation now.
To be Solvency II compliant by 2013, it is essential to identify precisely what activities will be required and how they should be prioritised. Drawing the overall road map and estimating global cost will also need careful consideration early in the Solvency II project. Companies should not treat Solvency II as a pure compliance exercise and should concentrate on identifying synergies between business needs and compliance requirements to drive business efficiency opportunities.
Solvency II will require insurance companies to integrate risk and risk management in all aspects of corporate day-to-day decision making, in particular in terms of setting the strategy. Insurers will need to strengthen the links between all the competencies that contribute to risk management.
In this article, we highlight some of the challenges that insurance companies face in their attempt to implement the Solvency II Directive.
‘Reading’ the regulators
Complying with an evolving regulatory requirement is a real challenge. Insurance companies might be tempted to adopt a minimum compliance strategy and discover at a later stage that they underestimated regulators’ expectations. On the other hand, interpreting current high level requirements of the draft Directive to develop a “gold plated” compliance framework may prove to be an unnecessary costly investment.
In their efforts to comply with the Solvency II Directive, insurance companies should therefore concentrate on identifying and implementing initiatives that will improve their business performance. For example, opting for the implementation of an internal model will provide information that can be used to help optimise the design and purchase of reinsurance, improve the pricing strategy of the underwriting function and optimise the allocation of capital across business lines.
Solvency II, Market Consistent Embedded Value (MCEV) and International Financial Reporting Standards (IFRS) Phase II are three industry initiatives which, from an implementation perspective, require substantial involvement from the same finance, risk and actuarial departments. Market value management being central to each of these three initiatives, it is essential that insurance companies identify potential synergies between them to improve the effectiveness of the control of the organisation and of the reporting to the various internal and external stakeholders. Addressing these initiatives in silos could result in a waste of time, money and resources.
As indicated by the CFO Forum in June 2008, the same building blocks of market consistent financial assumptions can be found for Solvency II, MCEV and IFRS Phase II. There are still a number of potential differences, but also great opportunities for convergence between the three frameworks. An example of convergence is that both IFRS and Solvency II require liabilities to be estimated on the basis of current exit value. Another example of convergence is that MCEV, IFRS Phase II and Solvency II require liabilities to be explicitly discounted at a rate that is independent of the assets held to match those liabilities.
It is important to understand how the three initiatives interrelate. This can be done by creating a regulatory map that lays out multiple mandates and addresses how to satisfy the matrix of requirements. Data underpinning the three initiatives will be common but it is important to understand the different outputs that data will need to populate. Team members responsible for the implementation of these three projects should liaise on a regular basis to ensure the appropriate level of consistency in the design and development of models, processes and deliverables. A consistent approach to sign-off assumptions and models should also be adopted.
Link between information, technology, risk management and the business
Solvency II emphasises the importance of realistic balance sheet valuation as the foundation for the development of a risk-based capital regulatory framework together with a realistic liability valuation. In this context, insurers will require accurate and timely information from the business. Risk and capital information should also be used by the business to form strategic decisions.
In practice, this will be far from a seamless process: data sources can be flawed or non- existent; technology architecture may make data flows cumbersome and unreliable; risk management may lack the maturity and framework to provide an integrated view of risks to senior management; lastly, the management may not consider risk insights as a valuable input in major business decisions.
Understanding the quality and availability of existing information within the insurer is key to a successful Solvency II implementation. Most risk measurement information will come from the business, through policy administration, claims management and asset management.
Sound internal controls for each step of data processing will be critical to get reliable information. Fortunately, this usually contributes to customer service quality as well. When information is either partial or missing, external sources and expert judgment could be good substitutes as long as insurers clearly understand the limits of using information in the context of their own business.
In the context of Solvency II, technology should not be limited to the calculation of capital. It should be viewed as a key opportunity to improve existing processes and reporting tools. Critical building blocks to the Solvency II technology challenge are data warehouses and data marts, which will store both the input and the results, both intermediate and final, of modelling exercises. They are essential to the implementation of a strong audit trail, a key element for model approval.
A GIRO working party survey estimated that general insurance actuaries spend on average more than 25 per cent of their time on data quality issues. There is clear scope to drive business efficiencies opportunities from a Solvency II implementation as information technology can help to automate controls and consolidation. Having good data and tools will be worthless without a robust risk management framework. The risk management framework should include the policies and procedures that lay down key risk indicators, the limits and the responsibilities for setting the limits, and acting on the indicators.
The implementation of an insurer’s risk management framework starts with an understanding of the risks affecting its business. Insurers then need to set a strategy to manage these risks. Input from models and reporting systems, based on the data and technology discussed above, will be essential for an insurer to get a reasonably accurate picture of its risk profile, define its risk appetite, organise the risk management so that it is effective while remaining compatible with the business culture, and feed the risk perspective in the business decisions.
Data management and technology relating to risk management activities should always be designed to serve the business: a major risk for Solvency II implementation is the creation of a wonderful risk management infrastructure that will function in isolation from the business it should serve.
The Draft Directive requirement to demonstrate use of the internal model clearly requires insurers to consider risk and capital as an essential element in their business decisions. The link between risk management, capital and the business, needs to be established both at strategic level and within day-to-day operations. Risk management will also need to evolve to take into account internal and external change factors such as consumer behaviour, new products, organisation change and economic conditions. These changes should be reflected both in risk data and risk management processes.
Insurance organisation will require co-operation between a wide range of experts to weave the thread that ties information, technology, risk management and business decisions. They will need to overcome various obstacles such as differing working practices and business focus, cultural gaps, reluctance to share information and point of views, etc.
Breaking these obstacles will require success on two fronts: firstly, each department will need to recognise the opportunities of Solvency II and support the implementation programme; secondly, all departments will need to support the same Solvency II target.
Starting with a clearly articulated Solvency II “target state” is a possible way to achieve both internal support and consistency. The “target state” should at least cover risk technology architecture (with a strong data management component), an organisational view of the dynamics of risk management and a view of the documentary base required to demonstrate internally and externally the practices of risk management.
Such a view was not easy to understand back in 2007, as the regulation was still difficult to figure out beyond key principles. Since then, CEIOPS and industry bodies at national and European level have issued many more detailed papers, points of views and comments covering all three pillars. Creating a practical view of how insurers will look in a Solvency II world becomes more tangible. In the layout of the Solvency II “target state”, insurers should strive to illustrate the interdependencies between all departments and demonstrate the benefits of not operating in silos. This will be particularly visible in areas such as economic capital calculation where business, technology, actuarial and accounting teams all contribute at one step of the process. Should any divergence arise between the various competencies, insurers should take the opportunity to address them early, rather than having to rush to a solution right before the supervisor’s assessment.
Support will also depend on the Solvency II road map. Too-ambitious planning will trigger rejection from overworked departmental staff who have to meet both day-to-day commitments to clients, management, supervisors and shareholders and the achievement of aggressive deadlines. A road map leaving aside or postponing the priorities of key contributors could also trigger a lack of support from their part. Implementing Solvency II is also a management challenge, not just a technical one. The responsibility to foster a strong internal support for the implementation of Solvency II rests with the senior management of the insurer. They should set the common “target state” and validate the implementation plan.
On July 10, 2007, during the Official presentation of the Solvency II Directive, Thomas Steffen, CEIOPS chairman, stated that “Solvency II is not just about capital. It is a change in behaviour”. Solvency II signals a fundamental shift towards a comprehensive enterprise risk management (ERM) culture. It will require insurance companies to integrate risk and risk management in all aspects of corporate day-to-day decision-making.
Under Solvency II, firms will need to set and explicitly determine their own risk appetite and level of capital required to run the business. The Own Risk and Solvency Assessment (ORSA), which is a documented internal process to identify all “own risks” and “the own solvency needs to cover these risks” will be an important part of a firm’s management and decision-making. The use of an internal model to calculate its Solvency Capital Requirement (SCR) will be subject to its integration within its overall risk management and decision-making activities.
Examples of internal model use were provided by the FSA in a September, 2008 discussion paper, as partially outlined below:
- Reinsurance – analysis, design and purchase of the reinsurance programme.
- Underwriting – pricing of the business through the allocation of capital to lines of business and linking to the firm’s business plan targets.
- Investment management – determining the possible effects of investment decisions.
- Product development – understanding the potential impact of new product developments and developing alternative business plan projections.
- Management information – understanding the risks in the business plan and sensitivities to key assumptions, and how this fits with the firm’s risk appetite.
- Strategy/planning – assessing the possible impact on the risks and capital of the business of various strategies and objectives.
- Corporate finance – assessing the possible impact on the risks and capital profile of the business of potential mergers, acquisitions and disposals.
- Finance function – risk based performance reporting using measures such as Return On Risk Adjusted Capital (RORAC).
Under Solvency II, insurance companies will need to encompass in their risk management culture the company’s philosophy towards risk and risk appetite. The risk management function will be responsible to convey the risk management culture throughout the firm. Risk management policies and procedures will need to be understood, adopted and implemented across the company.
One could argue that rather than a regulation, Solvency II is a deregulation in some important areas, bringing much more flexibility in the conduct of the business (e.g. freedom of investments). Solvency II offers many opportunities that may impact insurers differently depending on their size, geographical footprint, mix of business, and so on.
Solvency capital potentially becomes a competitive advantage, since two insurers writing the same line of business for the same clients will not be required to hold the same level of capital (as is the case with Solvency I). Insurers will fail to seize the opportunities if they lack a proper process to factor Solvency II in their development strategies, be it external or internal growth.
Regarding external growth, Solvency II will introduce a new perspective in the mergers and acquisition strategy targets: changes of an insurer’s risk profile may reduce the combined regulatory capital requirements through diversification effects. They may also result in additional regulatory capital requirements in the case of failed diversification or through capital add-ons triggered by the supervisor’s perception of operational risk and risk control issues during post-merger integrations. In terms of internal growth, Solvency II could be a source of innovation in product development, as insurers start to factor all the risk elements in the design and pricing of new products. Since volatility is what ultimately determines the level of solvency capital to hold, insurers will strive to optimise the existing tools to reduce volatility or look for new ways to do so in the product or pricing structures. In addition, diversification being now recognised, product strategies may change to benefit from this new variable more than is the case today.
Lastly, existing insurance products may be more or less expensive to carry under Solvency II than Solvency I. For many insurers, QIS calculations on specific lines have shown tangible gaps between products loaded with the same Solvency I capital ratio.
The Draft Directive requires insurers to factor a risk assessment in their business strategy: article 44 (4), describing the ORSA process, states that “the own risk and solvency assessment shall be an integral part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the undertaking”.
Several issues will have to be solved in order to properly incorporate Solvency II in mergers and acquisition and product strategies: one will be the ability to split solvency capital requirements at a level of detail which makes it useful for product strategy and design; another major challenge will be to train managers into thinking “risk” as well as “financial return” or “sales volume” when they make decisions. The former may be easier to resolve as it involves mostly “technical” work: parameterisation, tool development, etc. The latter needs a more cultural approach, since a mass “re-parameterisation” of managers is not an answer!