|Independent review of ORSA|
- banging the drum?
While most familiar with the topic would immediately cry "that got lobbied out in 2011", the speaker's argument was that, while EIOPA's Guidance no longer says firms should "independently" review its ORSA, it also doesn't not say it, therefore we must do it, and do it annually!
I would have chuckled and left it at that, but having read InsuranceERM's recent roundtable on preparations for Solvency II, the topic again reared its head, albeit in a more controlled manner, as a number of attendees explained how they have used Internal Audit (and dismissed the idea of using external firms) in reviewing their ORSA processes during the preparatory phase.
My problem is this - as an industry we were happy to, erm, relieve ourselves and moan when CEIOPS's first attempts at ORSA Guidance in 2010 included a guideline which compelled annual independent review of the ORSA Process (included in slide 32 of Mr Bernadino's pack here in Summer 2011, as I can't find the original CP anywhere).
This was lobbied-out by the time the re-badged EIOPA released their 2011 CP (here), and when their Final Report followed in June 2012, "independent review" was a distant memory.
Any compulsion to review the ORSA Process is now covered only by EIOPA's System of Governance Guidelines (here), specifically Guideline 8 asking that a firm's SoG is regularly "internally reviewed on a regular basis" (5.11).
EIOPA continue in 5.11 that "...the review undertaken by the internal audit function on the system of governance as part of its responsibilities can provide input to this internal review" - i.e. this is not work considered to be performed automatically and exclusively by one's Internal Audit function.
In terms of frequency, EIOPA elaborate in section 4.26 of the Guidelines, namely that your AMSB, given your firm's nature, scale and complexity;
...determines the scope and frequency of the internal reviews of the system of governanceSo three things - no 'annual' requirement; AMSB's choice on frequency; and that this is internal review, not "independent", "external", or indeed any other word which gets me contracted past 2016!
I therefore tried to haul this back to where a concept of compulsion for any type of "independent" review of ORSA has managed to sneak back into the thinking of the insurance industry (or just the consultancy industry!)
I believe it might be this - a rather obscure comment at the back of EIOPA's 2012 Final Report on ORSA, the very document in which the idea of Independent Review was jettisoned!
EIOPA's response to a Deloitte question (p132) appears to have been written somewhat ambiguously. They comment;
The ORSA will anyway have to be included in the regular independent review of the system of governance as well as in the assessment of the internal audit function
EIOPA only deleted the independent review of the ORSA in order to avoid the misconception that an additional independent review on top of that was requiredIt may be that the response writer meant to type "internal" and typed "independent" instead - if you are in doubt, seek clarity from the organ grinders at EIOPA!
For my money, and in the context of the Directive, Delegated Acts and EIOPA's current Guidelines;
- ORSA Processes do not need to be reviewed annually
- ORSA Processes do not need to be reviewed externally
- ORSA Processes do not need to be reviewed independently
- One's System of Governance, including ORSA, should be "internally reviewed on a regular basis", "regular" being defined by one's AMSB.