System of Governance - EIOPA's FINAL preparatory guidance for national supervisors

Based on feedback received since their initial consultation paper was released, EIOPA make the following generic clarifications/statements in the preamble of their guidance doc for System of Governance preparations;

• That proportionality will not be defined or presented as examples in the guideline text (p5-6)
• That NCAs are "expected to...review and evaluate the quality of the information provided to them" - bad news for the PRA, who were clinically uninterested in reviewing Solvency II reporting attempts according to one blogger (p6)
• The emergence of a new ORSA acronym, "FLAOR", which looks more like something an amused teenager would write on Facebook (p6)
• The expectation that 2015 will see submissions of (2014) ORSAs to NCAs (p7)
• While there is no generic take on what enforcement action should take place in this interim period, firms are expected to (a) Discuss any negative findings from their ORSA/Governance systems with their supervisor, and (b) To produce SCRs using information of appropriate quality. Enforcement action in the absence of this WILL NOT consist of capital add-ons, apparently (p7)
• That the submission date calendar for all of the information expected will be reviewed at the end of this year, so that EIOPA can take Omnibus II progress into account (p8)
• That the explanatory text in each set of guidance is NOT part of "Comply or Explain" (p9)
• That the reasons behind a negative "Comply or Explain" decision from any country will be kept secret as standard (p10, and disgraceful, frankly).

They then go on to focus on some of the larger bones of contention within the 52 guidelines provided. The following generic points stand out for me as a practitioner;

1. There is almost no discernible movement in EIOPA's position, even after a volumous lobbying effort;
2. That explanations for the inclusion of contentious content are generally forthcoming, though on a number of occasions, flimsy;
3. That planning for 2014 full-year mothballing of Solvency II programmes is not an option, particularly for ICAS+ candidates - some may get away with a few months of inertia, depending on the quality of their paperwork (strategies, policies, process guides/maps, terms of reference, charters etc).

The following supporting arguments for EIOPA's final view were, in my mind at least, poorly formulated, regardless of whether the end result is still agreeable;

3.48 (Guideline 6)

- Refused to add more definition around what constitutes a "significant decision", which is poor form.

3.58 (All of Chapter III)

- That the expectations of Risk Management in insurers  "...comprise risk management standards which are considered to be matter-of-course and wide spread activities" - extraordinarily loose, considering the lack of a majority-accepted global, or indeed pan-European standard on the subject (IRM/ISO/COSO/FERMA/FSB's efforts notwithstanding)

3.65 (Guideline 19)

- That, while it is "not an easy task", Operational Risks should be quantifiable, and therefore subject to tolerance limits - I don't think it would have hurt to suggest (or even compel the use of) a method if it is that difficult.

3.68 (Guideline 25)

- That firms should maintain Investment Risk-related KRIs outside of what might be provided by normal parties (for example, ratings agencies), which would help "...increase overall risk management" - not entirely convinced that a generic "increase" is any kind of worthy ambition. 

3.74 (Guideline 31)

- That a capital management policy and capital management plan is both necessary (though for not entirely convincing reasons when tying back to the Directive)

3.78 (Chapter VI [Internal Control])

- That there is already plenty of clarification on what the Compliance function is charged with. I would agree in principle, but have heard evidence to the contrary in practice.

3.81 (Chapter VII [Internal Audit])

- That they neither wish to mandate or discourage rotation of Internal Audit staff or whistleblowing direct to NCAs - in which case, why mention it!

3.110
- A bizarre comment in response to a suggestion that a public statement should be released by the AMSB annually regarding the discharge of responsibilities around the system of governance that the Directive "...only deals with internal governance, not corporate governance" - think I know what they are fishing at, but terribly worded.

3.144
- Justify their decision not to define risk appetite and risk tolerance in the context of these guidelines

They have however provided some more defendable clarifications, for example;

3.51 (Guideline 11)

- Clarified that the gold-plated "Fit and Proper" requirements apply to AMSB/Control Function staff only, as well as specify what is expected from Outsourcers.

3.57 (Chapter III [Risk Management])

- That in the context of separating the duties of the Risk and Actuarial functions, the Directive is abundantly clear and that undertakings "...cannot deviate from [the Directive's] distribution of tasks"

3.62 (All "Policy"-related guidelines)

- That efforts should be targeted towards drafting the required documents during the preparatory phase. I would imagine this would be "re-working" in the UK, where such activity is most probably long done.

3.67 (Guideline 19)

- That there is no compulsion for firms to operate an electronic database to store operational risk events

3.85 (Chapter VIII [Actuarial])

- That, regardless of the absence of a valuation framework for TPs, the processes behind their co-ordination and calculation justify early activity, rather than "wait and see" on Pillar 1.

3.124
- Regarding Op Risk, activity will have to include "...identifying all operational risks that have crystallised and their near misses" (my emphasis)

Relatively easy in summary then - if it was a gap/issue in your system of governance in March, it probably still is, so go and fix it!