For a topic which has felt like a given for a number of years (certainly in UK and Ireland where we already ask a lot in this area), the System of Governance preparatory guidance is still 40 pages, comprising of 57 guidelines, accompanied by 60 pages of explanatory text.
A couple of things immediately grabbed at me when going through the guidance (again anticipating a conservative approach of the supervisors rolling over and applying all content as is)
- That the Risk Management Policy (regardless of how one structures the component elements) is expected to contain procedure-level information about the management of each major risk category - this sounds hopelessly disproportionate, and almost impossible for supervisors to reasonably get through;
- That it is "expected" that large or complex firms separate their four key control functions, and that others at the small/medium end may ultimately find it easier to do so than consider the range of controls/maintenance of independence required to have combined functions;
- That an expectation that insurers' systems of governance require regular independent review, with the AMSB only retaining the ability to choose the performer;
- That insurers will be expected to formally identify/analyse/report on Operational Risk Events
- That EIOPA bottled out of defining Risk Appetite and Risk Tolerance, leaving national supervisors and insurers to fight it out amongst themselves.
Ultimately, the document reads like a checklist which practitioners or full-timers can run through against the suite of documentation no doubt already in existence which, if based on CEIOPS/EIOPA final advice and/or the Commission's Draft Level 2 measures, won't be miles away as it stands. On that premise, I've only listed elements which jump out for me.
GENERAL GOVERNANCE REQUIREMENTS
- Evidence should be collected of the AMSB "proactively" seeking information from committees/key functions
- No more detail than an expectation that the AMSB "appropriately implements" their key functions - in the explanatory text, it goes on to say that larger companies will be "expected" to fully separate Risk/Actuarial/Compliance/IA, with a series of measures expected to preserve functional independence if smaller companies choose to combine some.
- Expectation that both AMSB decisions, and how information generated from the Risk Management System (RMS) influences them, is "appropriately documented" - compulsion for Board Decision Logs?
- Regular System of Governance reviews appear to be expected, which are documented and reported back to the AMSB - the AMSB retains the right to choose who performs it
Guideline 9 - All policies must include:
- Goal of policy
- Tasks to be performed and by whom (person or role, unlike for validation, where person/s was specified)
- Associated processes and reporting procedures
- Obligations of affected operational teams to inform control functions of "relevant facts" at all times
- Contingency plans are expected for areas which are "especially vulnerable" - this pushes outside of what one would consider a conventional contingency plan for operational emergencies.
FIT AND PROPER
- Must have a Fit and Proper persons policy
- It must be equally applicable to both hired staff and outsourced functions
Guideline 15 - AMSB is "ultimately responsible" for:
- RMS effectiveness
- Setting Risk Appetite and Risk Tolerance Limits
- Approving Risk Management strategies and policies
Guideline 16 - Risk Management Policy must cover at least
- Risk categories used and measurement methods
- How each category/grouping of risks is managed
- Risk tolerance limits for all categories in line with Risk Appetite
- Linkage of both SCR and ORSA to risk tolerance limits
- Frequency and content of regular stress tests, and circumstances for additional testing
Guideline 18 - Insurance Risk Policy
- Expected to cover types of acceptable insurance risks, how premiums will cover claims/expenses, as well as how product design accounts for investment restrictions and formal risk mitigation techniques
Guideline 19 - Op Risk Policy
- Expectation that Operation Risk Events will be formally identified/analysed/reported in insurers, and that a system for collecting and monitoring them should be in place.
- Operational Risk Scenarios should be developed and used, based on failures of key persons/processes/systems and external events
Guideline 23 - Investment Risk Policy
- Buzzphrase introduced of managing the level of "security, quality, liquidity, profitability and availability" of one's asset portfolio
OWN FUND REQUIREMENTS AND THE SYSTEM OF GOVERNANCE
- Concept of a "medium term capital management plan" introduced which covers; planned capital issuances, maturities and distribution policies - not sure how that works for mutuals, but I can see what they're fishing for
- "All personnel [should be] aware of their role in the Internal Control system
- The Internal Control system should be "commensurate to the risks arising from the activities and processed to be controlled" - this line should hopefully avoid overkill
INTERNAL AUDIT FUNCTION
- The Internal Audit policy should include the procedure for informing supervisors [of whistleblowing-level wrongdoing I guess]
- "Material"deviations of Best Estimate Liabilities should be back-tested for by the Actuarial function, reported on, and remedial changes proposed
- The Actuarial function is expected to "contribute to" specifying the risk coverage in the internal model, as well as the dependency structure - this feels like areas where, even in larger insurers, the function probably already leads, so will they be asked to take a step back?