Solvency II is intended to encourage increased consistency between insurance companies’ actual risk exposure and the solvency capital requirement, to foster a more holistic approach to risk management, and to ensure increased transparency.
However, Solvency II often becomes synonymous with updated rules for calculating and reporting regulatory capital. This threatens to shift focus away from equally important issues; creating a culture for enterprise risk management and integration of risk management in the business overall. Solvency II provides opportunities for significant benefits beyond compliance, but this requires both engagement with the board of directors and management, and the establishment of risk management within a holistic framework.
Solvency II is based on the idea of Enterprise Risk Management (ERM). The theory and practice of ERM is made accessible through the use of acknowledged standards such as COSO ERM, or the newer international standard for risk management, ISO 31000. In this post we look at how ISO 31000 can be used to build the foundation for a successful Solvency II project, focusing on integrating ERM with the company’s overall strategy.
Tools for Preparation
Most definitions of risk have negative associations. ISO 31000, however, focuses on the “effect of uncertainty on objectives”, and that “an effect is a deviation from the expected – positive and/or negative”. It acknowledges that risk presents both opportunities and threats, and is tied directly to the achievement of goals. This should be at the core of an organization’s risk management framework – how to manage the uncertainty on the achievement of objectives?
Establishing the mandate for risk management
ERM is about building a risk aware culture that permeates the entire organization. This requires breaking down organizational and cultural silos. Risk management must be integrated into the organizational culture through a clear mandate and commitment from the company’s board and management.
To create the foundation for ERM, ISO 31000 recommends that the management:
- Establish and support the risk management policy
- Ensure consistent organizational culture and risk management policy
- Establish KPIs for risk management and risk management objectives in accordance with business objectives and strategies.
- Assign and delegate areas of responsibility appropriately
- Assign necessary resources to risk management
- Communicate the benefits of risk management to stakeholders
Designing the framework
The foundation for operationalizing risk management is the design of the risk management framework. This gives the basis and the tools for integrating risk management at all levels in the organization.
The framework includes a description of a company’s internal and external context. This will vary from company to company, but includes the environment in which a company operates, and key drivers and trends that affect your objectives.
A key element in the framework is the ERM policy, which clarifies the purpose and objectives of ERM. It’s recommended that the policy details how risk management supports achievement of organizational objectives, and describes the areas of responsibility with regards to risk management.
For Solvency II, an ERM policy should describe and document an efficient risk management system. Articles 41 to 49 set pillar 2 requirements for Risk Governance, such as segregation of duties, handling of conflicts of interest, key functions related to risk management, scope of the risk management system, and competence requirements. Pillar 2 also requires an Own Risk and Solvency Assessment (ORSA), which describes processes to assess risk to a company’s strategy. In other words, a company’s ERM policy is crucial in ensuring compliance with pillar 2 requirements.
Another element included in the framework is how risk management is integrated with other processes in the company, specifically strategic planning and administration. Again, we see similarities between ISO 31000 and Solvency II: one of the main purposes of ORSA is that it should be integrated into the company’s strategic processes; ORSA is based on the company’s strategy, and this strategy should be supported by ORSA.
Similarly to Solvency II, ISO 31000 requires a description of how the organization ensures resources for risk management. This takes into account the people, skills and competence needed to undertake effective risk management. Also, there should be documented processes, methods and tools to support risk management. Additionally the framework should cover internal and external communication and reporting mechanisms. This should ensure compliance with the pillar 3 requirements of Solvency II.
A risk management framework in accordance with ISO 31000 corresponds with several of the requirements in Solvency II. At the same time, the framework can help to prepare for implementation with the holistic perspective Solvency II is intended to encourage. Investing time and resources to establish a well-anchored risk management framework helps in preparing for Solvency II, ensuring that risk management is tied to the company’s achievement of objectives, rather than merely regulatory capital calculation.
Potential benefits deriving from holistic, well-functioning risk management are many, for example:
- Increased likelihood of goal achievement and proactive management
- Improved identification of opportunities and threats
- Increased stakeholder trust and confidence
- A robust foundation for decision making and planning
- Improved controls
- Increased operational efficiency and productivity
- Prevention of losses and improved management of risk events
- Minimized losses
Solvency II implementation will require considerable resources, and you should therefore evaluate potential benefits beyond compliance. In order to achieve of these benefits, you should consider it a tool for managing uncertainty regarding goal achievement.
A risk management framework based on principles of ISO 31000 won’t solve the challenge of Solvency II by itself, but it creates the frames for ERM with a focus on benefits beyond compliance.