UK: Shifting Gears For The New Regime - The Role Of Risk Governance In Solvency II, October 2009

Last Updated: 23 November 2009
Article by Deloitte Financial Services Group

Most Read Contributor in UK, August 2017

Governance is one of the most prominent features on the regulatory landscape for insurers. Intensive scrutiny over governance arrangements will be a characteristic of the FSA's supervisory approach as announced in the Turner Review in early 2009. The Walker Review proposals for governance arrangements within UK banks and other financial industry entities (including insurers) set out the scale of structural and cultural changes required to reach best practice. But an equally compelling motive for insurers to reassess their systems of governance is that it forms an integral part of the Solvency II regime.

Although a number of existing governance regulations currently impact insurers, such as those within the FSA handbook and the Companies Act 2006, Solvency II will catalyse a re-examination of whether insurers' governance models are fit for purpose. Embracing this opportunity for change could unlock cost efficiencies through improved organisational design, information and processes while failure to implement and communicate effective governance approaches to the regulator could lead to additional regulatory capital charges under Pillar 2.

In this article we explore those areas that insurers may find particularly challenging when trying to enhance their risk governance as part of Solvency II. In particular we focus on the need for an organisational structure that supports effective oversight and challenge of capital and risk management. In addition, we reflect on the importance of robust management information, as well as the governance challenges associated with developing and embedding an internal model. (The distribution of rights and responsibilities relating to a firm's broader corporate affairs, for example the relationship with shareholders, is not considered within our risk governance discussion here.)

Implementation challenges posed by Solvency II

Although the new regime is scheduled to be implemented in the EU in October 2012, many insurers have paid heed to the FSA's advice to initiate Solvency II gap analysis, design and implementation programmes. The advice to start early is equally relevant to risk governance. Underestimating the time and complexity of changing governance arrangements is a common pitfall. While changing structures and processes can appear relatively straightforward on paper, truly embedding change in a firm's governance arrangements is a more challenging and subtle undertaking, not least due to the level of Board and Executive input, buy-in and consensus required.

A widespread misconception is that all effort should first be concentrated on getting the Pillar 1 mathematical calculations correct. Successful implementation of Pillar 1 requirements may also require acceleration of certain risk governance aspects; for example, a training programme for senior management running in parallel to internal model design may be necessary so as not to delay the approval process. It is our belief, informed not least by our experience with Basel II, that a joined up view of Solvency II requirements across the three Pillars is the only way to tackle Solvency II efficiently.

Delivering and demonstrating effective oversight & challenge

Many insurers have adopted the "three lines of defence" risk governance model, shown above in its most typical form. Despite embracing this model, some insurers still struggle to articulate how oversight is apportioned between the risk management and other specialist functions, such as actuarial or treasury departments. Although the Solvency II Directive does not refer to this issue explicitly, transparent apportionment of oversight responsibilities and the existence of independent checks and challenges are critical to achieving "an adequate organisational structure with a clear allocation and appropriate segregation of responsibilities"1.

Some insurers take the approach that specialist functions, such as actuarial, are "second line" and responsible for oversight for specific areas of the risk universe. Others firms require the risk management function to oversee these specialist functions, but are then faced with the necessity of building sufficient expertise within the risk team. It is not unusual for specialist functions to perform a combination of first and second line activities, for example providing management information and processes to support the first line, while providing oversight and challenge of Business Units as part of a second line role. Organisations should be alert to the potential for conflicts of interests and avoid situations where a specialist function is performing a first and second line role over the same business or technical area. Insurers should be able to demonstrate the existence of objective review and skilled challenge of key decisions as part of their articulated governance model.

Ensuring that the Chief Risk Officer and risk function have sufficient standing in the organisation is vital to achieving meaningful challenge and ultimately the effective risk governance required by Solvency II. The Chief Executive of the FSA earlier this year expressed the view that appropriate stature to provide genuine challenge will only materialise if an executive director solely responsible for risk is on the main Board2. In those insurers where the CRO reports to the CFO, consideration should be given to whether the CRO has appropriate and unfettered levels of access to the CEO and the Board and whether a Board reporting line needs to be defined in addition to the Executive reporting line. The role of an independent Non- Executive Director ("NED") is also the subject of much discussion in the wake of the Walker Review's call for a materially increased time commitment from NEDs including the formation of a Board Risk Committee, chaired by a NED. Although the final report from Walker will only be released in November 2009, it seems likely that NEDs will be expected to demonstrate more active involvement in risk management discussions, including proactive requests for information on a firm's underlying risk exposures, the linkage to the capital position and challenge of risk appetite.

Driving competitive advantage through an integrated approach to risk and capital

At the heart of Solvency II is the need for more closely integrated risk and capital management which will drive better aligned interactions between risk, finance, actuarial and the business through this cycle. As illustrated here, true integration will permeate multiple aspects of the organisation from strategic decision making, to business processes and performance management.

At present, insurers have risk management functions, capital management procedures and business processes, but they are typically managed separately from each other, often operating in silos. This can lead to duplication of effort and business decisions taken without due consideration of the relevant risks. The scope and mandate of control functions (such as risk, compliance, actuarial and finance) will also need to be aligned and agreed. An integrated approach to risk and capital may also necessitate revisiting committee structures and considering whether the right discussions are taking place in the right forum. Insurers should also appraise whether resources with the right skills and expertise are in the right places. For example, the compliance function may need additional resource and closer alignment with the risk management function to effectively advise on prudential compliance (as suggested by the Directive).

Although investment will be required by many insurers in order to design and implement their target organisational design for integrated risk and capital management in a post-Solvency II world, taking a fresh look at the organisation provides a significant opportunity to draw out synergies. Stripping out organisational inefficiencies and duplicative processes offers the potential to deliver operational excellence and competitive advantage as well as providing a robust platform for improving the wider target operating model.

Governance over internal models

The internal model should be the "backbone" of the information used to inform decisions about the business. Embedded properly, it should inform strategy and be used for a wide range of business decisions including product development, pricing, investment strategy, capital management, assessing customer benefits and assessing the riskiness of the business strategy.3

The decision to develop an internal model for Solvency II brings with it several governance challenges:

Optimising use of specialist resource

Under the Solvency II Directive, ownership for the internal model is within the risk management function, including responsibility for design and implementation of the internal model; testing and validation; and documentation and analysis of performance of the model. Assigning these tasks to the risk function is intended to encourage the internal model to be embedded and maintained as an effective risk management model. However the actuarial function is tasked with specific responsibilities and sign-offs over the internal model outputs, namely: reserving; capital; data suitability; underwriting policy; and reinsurance arrangements. Clearly the risk management and actuarial functions will need to work closely together in order to make this work.

We recommend insurers give careful thought to how responsibilities for development, validation and on-going review of the model are allocated. Firms should be alert to the possibility of conflicts of interest and thinking proactively how these should be mitigated. If risk and actuarial personnel have been involved in the development of an internal model, how will they be able to objectively validate the model? This dilemma encapsulates the challenge that all insurers face – how to optimise use of specialist skills and resources. In the case of the internal model, firms may need to involve external specialist support or have additional actuarial expertise within the risk management function independent of the actuarial function. Use of internal audit should also be carefully considered; involvement at validation stage for example, could conflict resources from forming an independent view of the control environment once the model is embedded.

Senior management responsibilities

The significance of the internal model to the business makes a robust review and approval process a prerequisite. Our experiences with Basel II have led us to believe that the regulator will look for evidence of robust and detailed challenge by the highest levels of authority, as opposed to mere "rubber-stamping". Drawing from lessons learned in the financial crisis, where some Boards and management did not fully understand complex models used within their businesses ("misplaced reliance on the maths" as the Turner Review termed it), CEIOPS's expectations4 are that senior management will understand:

  • the logic behind the internal model;
  • the dynamics of the model;
  • the limitations of the model (including statistical assumptions and limitations in business planning assumptions); and
  • in which areas and on which entity hierarchy level, diversification effects arise.

Ensuring sufficient senior management understanding of risk modelling approaches to enable effective review could present challenges for many insurers. With the first wave of dry runs for internal model approval fast approaching, plans for stakeholder engagement and training should not be delayed.

Enhancing management information

The recent financial crisis has highlighted the importance of getting aggregated and reliable risk information to the right levels of the organisation. In order to provide effective challenge, Directors and management require appropriate and timely information, presented in a way that minimises the time required to distil it and gives sufficient prominence to key messages. Incorporating a forward looking dimension that better enables allocation of appropriate resource is considered best practice.

Insurers face several challenges in achieving this. Firstly, reporting from control and assurance functions such as risk, finance and internal audit typically is not aligned in terms of language or scoring, making it difficult for users to obtain a clear understanding of the impact upon risk profile. Large organisations can also face differences in methodology and risk terminology across business units or geographies. Secondly, lack of clean and accurate data can pose a major barrier. Due to legacy products, manually intensive processes and multiple systems and models, many insurers find reporting a complicated and time consuming process.

These challenges will need to be surmounted in order to meet the Solvency II requirement for information systems that produce "sufficient, reliable, consistent, timely and relevant information on all business activities, commitments and risks to which the firm is exposed".5

Gaining regulatory credit through governance disclosure

Under Solvency II, firms will need to provide annual reports to the regulator (Report to Supervisors) assessing the effectiveness of the system of governance, including all key functions and incorporating the conclusions from their Own Risk and Solvency Assessment ("ORSA"). Furthermore, annual public disclosure of governance arrangements through the Solvency and Financial Conduction report will also be required. Insurers will therefore need to document their governance and risk management arrangements in a comprehensible form. Most insurers have some expression of their governance model (for example descriptions of corporate structures and committee roles and responsibilities) but other requirements may be new for many insurers, for example an assessment of the adequacy of the system of governance for the insurer's risk profile. We therefore recommend that insurers undertake an appraisal of whether their current documentation is fit for purpose. Experiences during Basel II demonstrated that a firm's system of governance was one of the first areas reviewed by the regulator during the waiver application process. Those firms with a carefully thought out and well articulated governance model found the process considerably easier than peers with less comprehensive information. Good disclosure can pay regulatory dividends.

A change in mindset

Changing mindset, behaviour and organisational culture can be the biggest challenge of all. The CEIOPS consultation paper on governance places emphasis on the fact that culture and the appropriate "tone at the top" is necessary to support effective operation of the system of governance. Developing an appropriate controls culture is important but is not the only behavioural shift required. Too often risk management is perceived as synonymous solely with issue and loss prevention. Emphasising the business benefits of Solvency II, such as more competitive product pricing, better informed decision making, rather than focusing solely on the regulatory compliance aspect may help change thinking and get buy-in from the business.

Our conclusions

Insurers should not underestimate the challenges they will face in trying to achieve effective and robust governance in preparation for Solvency II. In the face of competing priorities it will be all too easy for governance to be overlooked in favour of more technical areas. Areas where early consideration may pay dividends include:

  • refreshing roles and responsibilities of key individuals and control functions to deliver effective oversight as well as yield operational efficiencies;
  • optimising use of skilled resource for development, validation and on-going review of internal models; and
  • early senior management training and engagement to enable effective challenge of the internal model during the review and approval process.

With risk governance high on the FSA's agenda, insurers should expect to be subject to significant regulatory scrutiny in this area. However opportunities abound. Developing efficiencies within the organisational structure and a streamlined reporting process has the potential to create both value and competitive advantage.


1 Article 41, Solvency II Directive, approved by the European Parliament on 22 April 2009

2 Speech by Hector Sants, Chief Executive FSA to the Securities & Investment Institute Conference, 7 May 2009

3 These are some of the uses suggested by CEIOPS (Committee of European Insurance and Occupational Pensions Supervision) in Level 2 Implementing Measures of Solvency II: Tests and Standards for Internal Model Approval

4 CEIOPS, Implementing Measures on Solvency II: Tests and Standards for Internal Model Approval, July 2009

5 CEIOPS consultation paper on Level 2 Implementing Measures on Solvency II: System of Governance, March 2009

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.