Thursday, 28 March 2013

EIOPA Preparatory Guidelines - System of Governance

Consultation on System of Governance preparatory guidance (plus explanatory text)

For a topic which has felt like a given for a number of years (certainly in UK and Ireland where we already ask a lot in this area), the System of Governance preparatory guidance is still 40 pages, comprising of 57 guidelines, accompanied by 60 pages of explanatory text.

A couple of things immediately grabbed at me when going through the guidance (again anticipating a conservative approach of the supervisors rolling over and applying all content as is)
  • That the Risk Management Policy (regardless of how one structures the component elements) is expected to contain procedure-level information about the management of each major risk category - this sounds hopelessly disproportionate, and almost impossible for supervisors to reasonably get through;
  • That it is "expected" that large or complex firms separate their four key control functions, and that others at the small/medium end may ultimately find it easier to do so than consider the range of controls/maintenance of independence required to have combined functions;
  • That an expectation that insurers' systems of governance require regular independent review, with the AMSB only retaining the ability to choose the performer;
  • That insurers will be expected to formally identify/analyse/report on Operational Risk Events
  • That EIOPA bottled out of defining Risk Appetite and Risk Tolerance, leaving national supervisors and insurers to fight it out amongst themselves.
Ultimately, the document reads like a checklist which practitioners or full-timers can run through against the suite of documentation no doubt already in existence which, if based on CEIOPS/EIOPA final advice and/or the Commission's Draft Level 2 measures, won't be miles away as it stands. On that premise, I've only listed elements which jump out for me.


Guideline 3
  • Evidence should be collected of the AMSB "proactively" seeking information from committees/key functions
Guideline 5
  • No more detail than an expectation that the AMSB "appropriately implements" their key functions - in the explanatory text, it goes on to say that larger companies will be "expected" to fully separate Risk/Actuarial/Compliance/IA, with a series of measures expected to preserve functional independence if smaller companies choose to combine some.
Guideline 7
  • Expectation that both AMSB decisions, and how information generated from the Risk Management System (RMS) influences them, is "appropriately documented" - compulsion for Board Decision Logs?
Guideline 8
  • Regular System of Governance reviews appear to be expected, which are documented and reported back to the AMSB - the AMSB retains the right to choose who performs it 
Guideline 9 - All policies must include:
  • Goal of policy
  • Tasks to be performed and by whom (person or role, unlike for validation, where person/s was specified)
  • Associated processes and reporting procedures
  • Obligations of affected operational teams to inform control functions of "relevant facts" at all times
Guideline 10
  • Contingency plans are expected for areas which are "especially vulnerable" - this pushes outside of what one would consider a conventional contingency plan for operational emergencies.


Guideline 11
  • Must have a Fit and Proper persons policy
  • It must be equally applicable to both hired staff and outsourced functions


Guideline 15 - AMSB is "ultimately responsible" for:
  • RMS effectiveness
  • Setting Risk Appetite and Risk Tolerance Limits
  • Approving Risk Management strategies and policies
Guideline 16 - Risk Management Policy must cover at least
  • Risk categories used and measurement methods
  • How each category/grouping of risks is managed
  • Risk tolerance limits for all categories in line with Risk Appetite
  • Linkage of both SCR and ORSA to risk tolerance limits
  • Frequency and content of regular stress tests, and circumstances for additional testing
In addition, the associated guidelines touch on the risk categories within one's Risk Management Policy. There is an expectation for pretty much every category that procedure-level information is included in the policy documents themselves, as well as hard limits, which is unlikely to be the case as it stands.

Guideline 18 - Insurance Risk Policy
  • Expected to cover types of acceptable insurance risks, how premiums will cover claims/expenses, as well as how product design accounts for investment restrictions and formal risk mitigation techniques
Guideline 19 - Op Risk Policy
  • Expectation that Operation Risk Events will be formally identified/analysed/reported in insurers, and that a system for collecting and monitoring them should be in place.
  • Operational Risk Scenarios should be developed and used, based on failures of key persons/processes/systems and external events
Guideline 23 - Investment Risk Policy
  • Buzzphrase introduced of managing the level of "security, quality, liquidity, profitability and availability" of one's asset portfolio


Guideline 32
  • Concept of a "medium term capital management plan" introduced which covers; planned capital issuances, maturities and distribution policies - not sure how that works for mutuals, but I can see what they're fishing for


Guideline 33
  • "All personnel [should be] aware of their role in the Internal Control system
  • The Internal Control system should be "commensurate to the risks arising from the activities and processed to be controlled" - this line should hopefully avoid overkill


Guideline 36
  • The Internal Audit policy should include the procedure for informing supervisors [of whistleblowing-level wrongdoing I guess]


Guideline 44
  • "Material"deviations of Best Estimate Liabilities should be back-tested for by the Actuarial function, reported on, and remedial changes proposed
Guideline 46
  • The Actuarial function is expected to "contribute to" specifying the risk coverage in the internal model, as well as the dependency structure - this feels like areas where, even in larger insurers, the function probably already leads, so will they be asked to take a step back?

No comments:

Post a Comment