by Stuart Rose and Thorsten Hein
This article is reprinted with permission from SAS. All rights are reserved.
For the last 30 years the insurance industry has been bombarded with new and increasingly diverse regulations, all designed to ensure that insurers and reinsurers are financially stable and act responsibly.
The foundations of the current European solvency regime were created in the 1970s. Since then there have been many changes in Europe, the insurance sector and financial markets. The problem with the earlier directives was that the rules did not adequately take into account a number of important risks, such as asset and liability management risk, credit and market risk.
In addition, capital required to be held was not aligned with the risks and value associated with a specific product sold by a particular insurance company. It is generally recognized that the capital requirements imposed by the early directives were too low to ensure adequate solvency of many firms. Finally, the early directives did not provide supervisors with the tools and procedures to intervene, which is arguably as important for policyholder protection as the level of solvency itself.
The limitations and weaknesses of the initial solvency directives led to the creation of the Solvency II Directive. The directive was officially approved by the European Parliament on April 22, 2009, and the proposed implementation date is January 1, 2013. Speaking at the launch of the Solvency II Draft Directive Framework in July 2007, Charlie McCreevy, European Commission for Internal Market and Services, said: "We are setting a world-leading standard that requires insurers to focus on managing all the risks they face and enables them to operate much more efficiently. It's good news for consumers, for the insurance industry, and the EU economy as a whole."
Solvency II Overview
Solvency II is a fundamental review of the capital adequacy of the entire European insurance industry. The purpose of this legislation is to ensure the financial stability of insurance companies, taking into consideration insurers' assets and liabilities. Solvency II will fully replace the current Solvency I requirements.
The primary goal of the European Union (EU) is to create an effective, single market across all 27 EU countries. Solvency II is one of the key components of the European Commission's action plan for financial services. The action plan calls for consolidating the 14 existing European insurance directives and introducing an entirely new, harmonized European solvency regime.
The implementation of Solvency II will have important consequences for the way in which insurance companies and supervisory authorities operate in the future. Requiring all firms to conduct an individual risk and capital assessment will encourage and reward more comprehensive risk management practices. This, in turn, will lead to a much better assessment and alignment of actual capital needed by an insurance company to meet its risks. The new solvency rules will thus inevitably shift business attitude from a compliance-based culture to a risk management culture.
Unlike previous regulations, Solvency II will take into consideration the many different types of risks facing insurers and then aggregate them at a firmwide level. These include: credit risk; market risk; operational risk; liquidity risk; and underwriting risk, both life and non-life.
Another unique aspect of Solvency II is its requirements regarding insurance groups and risk diversity. Insurance groups are a collection of siloed, or separate, insurance companies that report to a corporate insurance company. Such insurance groups have been established in the EU for a number of different reasons, including improved management accountability, cross-border activities, mergers and acquisitions, legal requirements to separate life and non-life business, and taxation implications.
What to Consider as You Become Solvency II Compliant
Complying with an evolving regulatory requirement is a real challenge, and implementing Solvency II is just as much a management challenge as a technology one. To be compliant by the 2013 deadline, it is critical to identify what activities are required. To prioritize these activities, insurers should concentrate on implementing initiatives that will improve their business performance.
The development of a risk-based capital framework is the foundation to Solvency II. To establish this framework, insurers will need accurate, timely information from the business. Hence the quality and availability of existing business data are fundamental to any successful Solvency II implementation. Most of this risk measurement information will come from the business through policy administration, claims management and asset management systems.
In the context of Solvency II, technology software should not be limited to the calculation of capital. Warehouses and data marts, which will store both the input and the results of modeling exercises, are critical for any Solvency II technology architecture. In addition, a key element for internal model approval is strong audit trail capabilities.
Under Solvency II, firms will be able to set and explicitly determine their own risk appetite and level of capital required to run the business. The Own Risk and Solvency Assessment (ORSA), which is a documented internal process to identify all "own risks" and "the own solvency needs to cover these risks" will be an important part of a firm's management and decision making. While data quality and data integration tools are fundamental for Solvency II, they are worthless without a robust risk management framework.
The risk management framework should include the policies and procedures that lay down key risk indicators (KRIs) based on the insurer's risk appetite. The implementation of an insurer's risk management framework starts with an understanding of the risks affecting its business. Insurers then need to set a strategy to manage these risks. Input from models and reporting systems will be essential for an insurer to get a reasonably accurate picture of its risk profile, define its risk appetite, organize the risk management so that it is effective yet still compatible with the business culture, and feed the risk perspective into business decisions.
Benefits of an Enterprise Risk DataManagement Framework
Data management and data quality are no longer optional components of a regulatory solution; they are essential. Solvency II takes a sophisticated approach to risk management, financial reporting and corporate governance. This approach requires insurance companies to put comprehensive standards, policies and processes in place for the use, development and management of data. To support the new processes, the legislation calls for data relating to risk to be generated more frequently and more thoroughly. Firms will need to demonstrate that they have instilled risk awareness and sensitivity in all core activities.
Insurance companies are continuously trying to make better business decisions faster. However, many insurers spend so much time manually gathering and cleaning data and creating reports that there is little time left to explore data to uncover insights that can have a positive impact on the bottom line. That is why a holistic, unified approach to data management, which ensures a smooth flow of information throughout the organization, is a critical part of a true risk management system. This approach will enable decision makers to glean key insights from the data and then combine those with insights from other business functions, such as marketing, claims and underwriting.
Rise of Economic Capital and Internal Models
A data-driven approach accrues significant benefit for any organization. The consistency that is necessitated by the Solvency II regulations will result in uniformity across reporting, analysis and predictive capability in all organizations that properly implement the regulations at a granular level. It will furthermore create the capacity for improved strategic planning, performance management and remuneration strategies that add value to the organization on a risk-adjusted basis. In many cases, it will allow organizations to identify portfolios that are less than optimal in their performance and to focus on building portfolios that are more advantageous to longterm sustainability.
The alignment under the economic balance sheet approach also implies a far greater recognition of risk at a more granular level and an ability to align risk-based reporting standards with accounting-based reporting standards. From a shareholder perspective, Solvency II will provide far greater granularity and transparency across all portfolios and across all sources of risk than at any time previously. One thinks, for example, of AIG and how the risks inherent in its massive credit default swaps (CDS) positions would have been identified and reported under a Solvency II regime.
Beyond Solvency II — Business Benefits ofRisk Management
Insurance executives must make a declarative choice in developing the Solvency II business case. A firm can elect to do the minimum required to ensure compliance, which is less expensive in the short term. But taking the minimal approach is bound to entrench a disadvantage over the long term, as it implies a higher cost of capital and results in less sophisticated risk management capabilities. On the other hand, firms can choose to invest in enterprise technology and integrate risk management with their core business processes. This approach can deliver a competitive advantage and, as a result, maximize potential benefits. By investing in an enterprise risk management and compliance solution, insurance companies can optimize the use of Solvency II resources and turn the compliance burden into a number of strategic opportunities.
Insurance companies can use the Solvency II regulations to build a brand that is recognized for its strength of capital position, transparency in its operations and sound risk management practices. The benefits of such a brand are apparent in increased market share and retention of existing customers. In addition, rating agencies encourage insurers to manage risk and capital in a way that enhances the quality of earnings. According to rating agency AM Best, an insurer that can demonstrate strong risk management practices integrated with its core operating processes, and can effectively execute its business plan, will maintain favorable ratings in an increasingly dynamic operating environment.
Challenges Facing Insurers Related to Solvency II
The Solvency II requirements contain a mixture of extremely complex quantitative calculations and risk management and governance processes, with a focus on auditability and transparency. Insurers will be required both to implement the necessary physical changes affecting how the business is run and to effect important cultural changes to ensure that Solvency II principles are embedded into the business. To ensure success, insurers generally will need to address a number of diverse issues. These challenges are covered in more depth in the following sections.
As insurers embark on enterprisewide risk management initiatives, they face the key challenge of data management. While it is well recognized that the integrity of internal data is very much the lifeline of insurance companies, there are significant challenges to aggregating data to create analytical metrics. The 2009 EIU report1 highlighted the fact that the lack of data availability and data integrity is currently hampering the ability of financial services firms to implement enterprisewide risk management capabilities. Nearly one-half of executives questioned in this survey (41 percent) considered improving data quality and data availability to be one of the three major areas of focus in the management of risk within their organization. The need for comprehensive data management infrastructure increases with the complexity of the risks and the size of the organization. In fact, CEIOPS has enforced the importance of data quality, which in the committee's experience is a major area of concern for European insurers.2 CEIOPS expects insurance companies to:
- Have a data dictionary of all data sources and attributes.
- Conduct data quality assessments.
- Take steps to remediate any identified issues.
- Demonstrate that ongoing data quality monitoring processes are in place.
Poor Transparency and Auditability
Over time, various parts of organizations adopt different risk management frameworks and systems. This results in fragmentation of risk-related information, making it difficult to consolidate this information from across the organization and to accurately visualize the different types of risk exposures. Complex, convoluted and intertwined packaged and homegrown systems, along with poor data sourcing and documentation, have further reduced the certainty in capital calculations. This makes it impossible to reflect the true risk profile of the business, so the organization will end up holding either too much or insufficient capital.
Enterprise governance, risk and compliance (GRC) aims to make things right by addressing both data and processing issues. GRC improves data quality by:
- Collecting and verifying data from operational systems, consortiums, external content providers and other specialized GRC applications.
- Building a foundation of common business definitions for key risk, performance and control indicators and their associated data elements via a comprehensive GRC data model.
On the processing end, GRC promotes consistent workflow descriptions for the enterprise by utilizing a common library of risks and controls, policies and procedures, incidents and events. By using common remediation actions, the end result is an integrated platform that standardizes and maintains risk-related data in libraries with common definitions, and consolidates information from all risk management systems to deliver an enterprise view of the entire organization's risk exposures and associated capital requirements.
A Diverse Set of Models and Risk Aggregation
Most insurance companies have grown larger over a period of time. This has led to a number of risk management regimes, differing models and various modeling systems and methodologies. Many companies use multiple modeling systems simultaneously to handle their risk and exposure modeling needs. The result is a mixture of confused results, ultimately creating inconsistent risk output.
In addition, risks are often related to each other; and understanding exactly how these links affect the business is important. Unfortunately most insurers lack the ability to aggregate models and correlate risk at a firmwide level.
Models are semipermanent in nature, as they were often crafted by a third-party vendor who is slow to update the models to reflect changing business and regulatory requirements. This "black-box" approach results in increased costs and less accurate capital calculations, creating the conditions for poor certainty on risk-based capital allocations.
Solvency II not only demands huge amounts of extra reporting from insurance companies produced in shorter time periods — it also demands that these reports be more rigorously controlled and documented. Insurers will need a mechanism to distribute these reports to all business departments — including senior management and external parties — in a timely manner. Business intelligence and reporting applications are essential to provide these reporting capabilities and dashboards for decision makers. These reporting tools should include report templates for the supervisory (Pillar 3) requirements such as the Solvency and Financial Condition Report and the Report to Supervisor.
How SAS Can Help
SAS delivers an integrated risk and regulatory capital management solution that is backed by 30 years of experience in data management and analytics, superior financial stability as well as a track record of reinvestment in research and development.
Solvency II Environment from SAS
SAS' approach to Solvency II is a flexible framework leading companies through the minefield of data, existing models, economic capital standard models, operationalized risk and reporting. Our framework delivers consistency and auditability, which greatly eases the path to compliance.
SAS® Risk Management for Insurance
SAS Risk Management for Insurance is a comprehensive solution for performing risk analysis and risk-based capital calculations for insurers. The solution enables life and property and casualty (P&C) insurance companies to implement the Solvency II standard model approach for calculating risk-based capital, and is built on a robust, insurance-specific data management and reporting platform. With its insurance-specific data model and risk data management capabilities, the SAS Risk Management for Insurance solution enables insurers to acquire and consolidate historical data from both internal and external sources to use for risk analysis and reporting.
With the solution, insurers can perform:
- Enterprise risk data management.
- Market-consistent valuation of assets and liabilities.
- Stress testing analysis.
- Aggregation of risk capital charges.
- Calculation of solvency capital requirements (SCR) and minimum capital requirements (MCR).
- Regulatory and internal risk reporting.
SAS® Enterprise GRC solution
The SAS Enterprise GRC solution strengthens governance and builds trust throughout an organization by providing early and systematic management of risk exposures and disclosures. It also helps you detect and prevent violations of all applicable laws, regulations and policies, and helps make sure your strategy is aligned with risk appetite, key stakeholder expectations and external obligations.
SAS Enterprise GRC enables you to build a reliable view of risk exposures and compliance obligations, which is an error-prone and time-consuming task if the solution's components are not integrated. The solution also facilitates collaboration between internal teams — which is difficult if governance, risk and compliance components are fragmented. In addition, it reduces the cost of risk management and compliance by eliminating duplication of data and processes through automation.
Implementing a Solvency II project will be a major undertaking for an insurance company, regardless of its size. Insurance companies will need an end-to-end technology infrastructure that is scalable, with sufficient processing power to support the increased complexity and sophistication required for Solvency II calculations.
Recognized as the industry leader in analytics, SAS provides capabilities to help insurers comply with the Solvency II regulations and more. With SAS you can:
- Comply with Solvency II requirements by deploying a robust risk management system.
- Reduce cost and effort with the SAS Risk Reporting Repository model and a preconfigured standard reports process for calculation analysis and reporting.
- Minimize risk of the project by using proven SAS technology and by establishing consistent internal reporting standards and process automation.
- Accelerate the implementation process using an integrated risk management framework from data integration to risk analysis to reporting.
- Enhance transparency with fully auditable models, data integration and outputs that reduce the complexity and effort required for Solvency II compliance.
- Ensure quality assurance (accuracy, appropriateness and completeness) of the data used by all business functions for decision-making processes.
On July 10, 2007, during the official presentation of the Solvency II Directive, Thomas Steffen, CEIOPS Chairman, stated that "Solvency II is not just about capital. It is a change in behavior." Solvency II signals a fundamental shift toward a comprehensive enterprise risk management culture. While considered an exceptionally ambitious project, the objectives of Solvency II were designed to generate benefits to both policyholders and insurance companies. However, if the Solvency II Directive is executed properly, and if the anticipated benefits are realized, it could also have a dramatic impact on the European economy.
The regulation of the insurance industry has recently been regarded as an unnecessary hindrance to the dynamism of economies and the natural tendency of firms to innovate and expand. We believe, on the other hand, that taking an early and proactive stance toward implementation of Solvency II will drive individual insurers to improve their business intelligence and management information systems so they can achieve sustained competitive advantage.
- Economist Intelligence Unit. After the Storm: A New Era for Risk Management in Financial Services. 2009.
- CEIOPS, CP43. "Technical Provisions — Standards for Data Quality." 2009.
Stuart Rose is Global Insurance Marketing Manager for SAS. He began his career as an actuary and now has more than 20 years of experience in the insurance industry, working for companies in the United States, Europe and South Africa. Rose has written many insurance-related articles and is also the co-author of Executive's Guide to Solvency II.
Thorsten Hein is Business Development Manager for SAS. He is an expert in the European insurance market, focusing on topics like Solvency II, valuebased management and risk management. Hein started his career in 1990 at the global headquarters of Allianz Insurance in Munich, Germany.