UK: Shifting Gears For The New Regime - The Role Of Risk Governance In Solvency II, October 2009

Governance is one of the most prominent features on the regulatory landscape for insurers. Intensive scrutiny over governance arrangements will be a characteristic of the FSA's supervisory approach as announced in the Turner Review in early 2009. The Walker Review proposals for governance arrangements within UK banks and other financial industry entities (including insurers) set out the scale of structural and cultural changes required to reach best practice. But an equally compelling motive for insurers to reassess their systems of governance is that it forms an integral part of the Solvency II regime.

Although a number of existing governance regulations currently impact insurers, such as those within the FSA handbook and the Companies Act 2006, Solvency II will catalyse a re-examination of whether insurers' governance models are fit for purpose. Embracing this opportunity for change could unlock cost efficiencies through improved organisational design, information and processes while failure to implement and communicate effective governance approaches to the regulator could lead to additional regulatory capital charges under Pillar 2.

In this article we explore those areas that insurers may find particularly challenging when trying to enhance their risk governance as part of Solvency II. In particular we focus on the need for an organisational structure that supports effective oversight and challenge of capital and risk management. In addition, we reflect on the importance of robust management information, as well as the governance challenges associated with developing and embedding an internal model. (The distribution of rights and responsibilities relating to a firm's broader corporate affairs, for example the relationship with shareholders, is not considered within our risk governance discussion here.)

Implementation challenges posed by Solvency II

Although the new regime is scheduled to be implemented in the EU in October 2012, many insurers have paid heed to the FSA's advice to initiate Solvency II gap analysis, design and implementation programmes. The advice to start early is equally relevant to risk governance. Underestimating the time and complexity of changing governance arrangements is a common pitfall. While changing structures and processes can appear relatively straightforward on paper, truly embedding change in a firm's governance arrangements is a more challenging and subtle undertaking, not least due to the level of Board and Executive input, buy-in and consensus required.

A widespread misconception is that all effort should first be concentrated on getting the Pillar 1 mathematical calculations correct. Successful implementation of Pillar 1 requirements may also require acceleration of certain risk governance aspects; for example, a training programme for senior management running in parallel to internal model design may be necessary so as not to delay the approval process. It is our belief, informed not least by our experience with Basel II, that a joined up view of Solvency II requirements across the three Pillars is the only way to tackle Solvency II efficiently.

Delivering and demonstrating effective oversight & challenge

Many insurers have adopted the "three lines of defence" risk governance model, shown above in its most typical form. Despite embracing this model, some insurers still struggle to articulate how oversight is apportioned between the risk management and other specialist functions, such as actuarial or treasury departments. Although the Solvency II Directive does not refer to this issue explicitly, transparent apportionment of oversight responsibilities and the existence of independent checks and challenges are critical to achieving "an adequate organisational structure with a clear allocation and appropriate segregation of responsibilities"1.

Some insurers take the approach that specialist functions, such as actuarial, are "second line" and responsible for oversight for specific areas of the risk universe. Others firms require the risk management function to oversee these specialist functions, but are then faced with the necessity of building sufficient expertise within the risk team. It is not unusual for specialist functions to perform a combination of first and second line activities, for example providing management information and processes to support the first line, while providing oversight and challenge of Business Units as part of a second line role. Organisations should be alert to the potential for conflicts of interests and avoid situations where a specialist function is performing a first and second line role over the same business or technical area. Insurers should be able to demonstrate the existence of objective review and skilled challenge of key decisions as part of their articulated governance model.

Ensuring that the Chief Risk Officer and risk function have sufficient standing in the organisation is vital to achieving meaningful challenge and ultimately the effective risk governance required by Solvency II. The Chief Executive of the FSA earlier this year expressed the view that appropriate stature to provide genuine challenge will only materialise if an executive director solely responsible for risk is on the main Board2. In those insurers where the CRO reports to the CFO, consideration should be given to whether the CRO has appropriate and unfettered levels of access to the CEO and the Board and whether a Board reporting line needs to be defined in addition to the Executive reporting line. The role of an independent Non- Executive Director ("NED") is also the subject of much discussion in the wake of the Walker Review's call for a materially increased time commitment from NEDs including the formation of a Board Risk Committee, chaired by a NED. Although the final report from Walker will only be released in November 2009, it seems likely that NEDs will be expected to demonstrate more active involvement in risk management discussions, including proactive requests for information on a firm's underlying risk exposures, the linkage to the capital position and challenge of risk appetite.

Driving competitive advantage through an integrated approach to risk and capital

At the heart of Solvency II is the need for more closely integrated risk and capital management which will drive better aligned interactions between risk, finance, actuarial and the business through this cycle. As illustrated here, true integration will permeate multiple aspects of the organisation from strategic decision making, to business processes and performance management.

At present, insurers have risk management functions, capital management procedures and business processes, but they are typically managed separately from each other, often operating in silos. This can lead to duplication of effort and business decisions taken without due consideration of the relevant risks. The scope and mandate of control functions (such as risk, compliance, actuarial and finance) will also need to be aligned and agreed. An integrated approach to risk and capital may also necessitate revisiting committee structures and considering whether the right discussions are taking place in the right forum. Insurers should also appraise whether resources with the right skills and expertise are in the right places. For example, the compliance function may need additional resource and closer alignment with the risk management function to effectively advise on prudential compliance (as suggested by the Directive).

Although investment will be required by many insurers in order to design and implement their target organisational design for integrated risk and capital management in a post-Solvency II world, taking a fresh look at the organisation provides a significant opportunity to draw out synergies. Stripping out organisational inefficiencies and duplicative processes offers the potential to deliver operational excellence and competitive advantage as well as providing a robust platform for improving the wider target operating model.

Governance over internal models

The internal model should be the "backbone" of the information used to inform decisions about the business. Embedded properly, it should inform strategy and be used for a wide range of business decisions including product development, pricing, investment strategy, capital management, assessing customer benefits and assessing the riskiness of the business strategy.3

The decision to develop an internal model for Solvency II brings with it several governance challenges:

Optimising use of specialist resource

Under the Solvency II Directive, ownership for the internal model is within the risk management function, including responsibility for design and implementation of the internal model; testing and validation; and documentation and analysis of performance of the model. Assigning these tasks to the risk function is intended to encourage the internal model to be embedded and maintained as an effective risk management model. However the actuarial function is tasked with specific responsibilities and sign-offs over the internal model outputs, namely: reserving; capital; data suitability; underwriting policy; and reinsurance arrangements. Clearly the risk management and actuarial functions will need to work closely together in order to make this work.

We recommend insurers give careful thought to how responsibilities for development, validation and on-going review of the model are allocated. Firms should be alert to the possibility of conflicts of interest and thinking proactively how these should be mitigated. If risk and actuarial personnel have been involved in the development of an internal model, how will they be able to objectively validate the model? This dilemma encapsulates the challenge that all insurers face – how to optimise use of specialist skills and resources. In the case of the internal model, firms may need to involve external specialist support or have additional actuarial expertise within the risk management function independent of the actuarial function. Use of internal audit should also be carefully considered; involvement at validation stage for example, could conflict resources from forming an independent view of the control environment once the model is embedded.

Senior management responsibilities

The significance of the internal model to the business makes a robust review and approval process a prerequisite. Our experiences with Basel II have led us to believe that the regulator will look for evidence of robust and detailed challenge by the highest levels of authority, as opposed to mere "rubber-stamping". Drawing from lessons learned in the financial crisis, where some Boards and management did not fully understand complex models used within their businesses ("misplaced reliance on the maths" as the Turner Review termed it), CEIOPS's expectations4 are that senior management will understand:

  • the logic behind the internal model;
  • the dynamics of the model;
  • the limitations of the model (including statistical assumptions and limitations in business planning assumptions); and
  • in which areas and on which entity hierarchy level, diversification effects arise.

Ensuring sufficient senior management understanding of risk modelling approaches to enable effective review could present challenges for many insurers. With the first wave of dry runs for internal model approval fast approaching, plans for stakeholder engagement and training should not be delayed.

Enhancing management information

The recent financial crisis has highlighted the importance of getting aggregated and reliable risk information to the right levels of the organisation. In order to provide effective challenge, Directors and management require appropriate and timely information, presented in a way that minimises the time required to distil it and gives sufficient prominence to key messages. Incorporating a forward looking dimension that better enables allocation of appropriate resource is considered best practice.

Insurers face several challenges in achieving this. Firstly, reporting from control and assurance functions such as risk, finance and internal audit typically is not aligned in terms of language or scoring, making it difficult for users to obtain a clear understanding of the impact upon risk profile. Large organisations can also face differences in methodology and risk terminology across business units or geographies. Secondly, lack of clean and accurate data can pose a major barrier. Due to legacy products, manually intensive processes and multiple systems and models, many insurers find reporting a complicated and time consuming process.

These challenges will need to be surmounted in order to meet the Solvency II requirement for information systems that produce "sufficient, reliable, consistent, timely and relevant information on all business activities, commitments and risks to which the firm is exposed".5

Gaining regulatory credit through governance disclosure

Under Solvency II, firms will need to provide annual reports to the regulator (Report to Supervisors) assessing the effectiveness of the system of governance, including all key functions and incorporating the conclusions from their Own Risk and Solvency Assessment ("ORSA"). Furthermore, annual public disclosure of governance arrangements through the Solvency and Financial Conduction report will also be required. Insurers will therefore need to document their governance and risk management arrangements in a comprehensible form. Most insurers have some expression of their governance model (for example descriptions of corporate structures and committee roles and responsibilities) but other requirements may be new for many insurers, for example an assessment of the adequacy of the system of governance for the insurer's risk profile. We therefore recommend that insurers undertake an appraisal of whether their current documentation is fit for purpose. Experiences during Basel II demonstrated that a firm's system of governance was one of the first areas reviewed by the regulator during the waiver application process. Those firms with a carefully thought out and well articulated governance model found the process considerably easier than peers with less comprehensive information. Good disclosure can pay regulatory dividends.

A change in mindset

Changing mindset, behaviour and organisational culture can be the biggest challenge of all. The CEIOPS consultation paper on governance places emphasis on the fact that culture and the appropriate "tone at the top" is necessary to support effective operation of the system of governance. Developing an appropriate controls culture is important but is not the only behavioural shift required. Too often risk management is perceived as synonymous solely with issue and loss prevention. Emphasising the business benefits of Solvency II, such as more competitive product pricing, better informed decision making, rather than focusing solely on the regulatory compliance aspect may help change thinking and get buy-in from the business.

Our conclusions

Insurers should not underestimate the challenges they will face in trying to achieve effective and robust governance in preparation for Solvency II. In the face of competing priorities it will be all too easy for governance to be overlooked in favour of more technical areas. Areas where early consideration may pay dividends include:

  • refreshing roles and responsibilities of key individuals and control functions to deliver effective oversight as well as yield operational efficiencies;
  • optimising use of skilled resource for development, validation and on-going review of internal models; and
  • early senior management training and engagement to enable effective challenge of the internal model during the review and approval process.

With risk governance high on the FSA's agenda, insurers should expect to be subject to significant regulatory scrutiny in this area. However opportunities abound. Developing efficiencies within the organisational structure and a streamlined reporting process has the potential to create both value and competitive advantage.


1 Article 41, Solvency II Directive, approved by the European Parliament on 22 April 2009

2 Speech by Hector Sants, Chief Executive FSA to the Securities & Investment Institute Conference, 7 May 2009

3 These are some of the uses suggested by CEIOPS (Committee of European Insurance and Occupational Pensions Supervision) in Level 2 Implementing Measures of Solvency II: Tests and Standards for Internal Model Approval

4 CEIOPS, Implementing Measures on Solvency II: Tests and Standards for Internal Model Approval, July 2009

5 CEIOPS consultation paper on Level 2 Implementing Measures on Solvency II: System of Governance, March 2009

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions