What does the Second Line of Defence look like post Solvency II? Susan Young Head of Risk Management R&Q Managing Agency Limited 4 th July 2013 Institute of Risk Management ERM in Insurance Special Interest Group
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
What does the Second Line of Defence look like post Solvency II?
Susan Young
Head of Risk Management
R&Q Managing Agency Limited 4th July 2013
Institute of Risk Management
ERM in Insurance Special Interest Group
Disclaimer
The opinions expressed in this presentation are my own and do not represent those of my organisation
Feel free to share yours
Session Outline
• The Risk Management Function under Solvency II
• The Three Lines of Defence Model
• Some thoughts
• The Three Lines of Defence in a SII world
• Observations and Challenges
• Challenges for Risk Management specifically
• The role of the Risk Management in supporting the Board and the business
• How should Risk Management help their Boards?
• How should Risk Management inform their Boards?
• The Risk Management Function the in organisational hierarchy – does it matter?
• Summary and Conclusion
• Questions
The Risk Management Function under SII – Framework Directive
• Insurance and reinsurance undertakings shall have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis, the risks, at an individual and aggregated level, to which they are or could be exposed, and their interdependencies
• That risk management system shall be effective and well integrated into the organisational structure and in the decision making processes of the insurance and reinsurance undertaking with proper consideration of the persons who effectively run the undertaking or have other key functions
(Section 2 Article 47 – Risk Management Function – The “what”)
To be continued….
The Risk Management Function under SII – Level 2
• A clearly defined and well documented risk management strategy that includes the risk management objectives, key risk management principles, general risk appetite and assignment of risk management responsibilities across all activities of the undertaking and is consistent with the undertaking’s overall business strategy
• Adequate written policies that include a definition and categorisation of the material risks faced by the undertaking, by type, and the levels of acceptable risk limits for each risk type, implement the undertaking’s risk strategy, facilitate control mechanisms and take into account the nature, scope and time horizon of the business and the risks associated with it
• Appropriate processes and procedures which enable the undertaking to identify, assess, manage, monitor and report the risks it is or might be exposed to
• Appropriate reporting procedures and feedback loops that ensure that information on the risk management system, which is coordinated and challenged by the risk management function and is actively monitored and managed by all relevant staff and the administrative, management or supervisory body
• Reports that are submitted to the administrative, management or supervisory body by the risk management function on the material risks faced by the undertaking and of the risk management system, and
• A suitable own risk and solvency assessment (ORSA) process
(CEIOPS Doc 29/09 Level 2 Implementing Measures – the “how”)
Enterprise Risk Management in different clothes?
The Three Lines of Defence Model • First Line of Defence - Day to Day Management and Control
• Board of Directors
• Functional Heads
• Business Units
• Second Line of Defence – Oversight, policy and methodology
• Committee and Governance Structure
• Risk Management
• Compliance
• Actuarial
• HR, Legal etc.
• Third Line of Defence – Independent Assurance
• Audit Committee
• External Audit
• Internal Audit
• Independent Peer Review (where appropriate)
Basel Committee Definitions
Some thoughts……
• Origins can be found in sport/military planning
• Implies three separate lines operating independently, each providing a “backstop” for the other
• Solvency II infers a much more integrated view of Risk Management particularly – more later
• Other definitions have “blurred the boundaries” – Actuarial, Finance, HR etc. often find their way into the first line of defence in some models
• Others have Risk Management as the first line, Internal Control as the second line and Internal Audit as the Third Line
• The increased demands on Risk Management in particular is much more holistic in a SII world
• The Three Lines of Defence Model (and its operation) needs to reflect that
Its not as clear cut as three distinct lines. Nor should it be?
The Three Lines of Defence Model in a Solvency II world
Risk Management
Board of Directors
SECOND LINE
Direct Assurance
Compliance, Actuarial, Legal
etc
THIRD LINE
Independent Assurance
(Internal /External Audit,
Independent Review etc)
FIRST LINE
The Business (Risk and
Control Owners)
The “virtual team” in a SII world
Observations and Challenges
• Risk Management sits at the heart of much of how organisations operate in the new Solvency II world
• Regarding second line - what’s in what’s out? Does it matter? If so….
• Recognise the areas with first and second line “hats” and adapt style and approach accordingly
• Our ERM responsibilities have not changed – we merely have a clearer mandate to harness them – more later
• First and third lines of defence (as traditionally defined) also form part of the Risk Management Function (even if not part of the Risk Management team)
• Risk Management is clearly in the second line however, we will examine the implications in a moment
A blurring of the boundaries – but surely this is a good thing?
Challenges for Risk Management specifically
• Wider ranging responsibilities – Governance of the Internal Model (where used) has required a broadening in our skill set
• This reached beyond the traditional ERM “top down and joined up” approach to risk identification, mitigation, monitoring we all know and love – but the basic tenets of ERM do still apply
• Finding the right positioning within the organisation to make our voice heard – either on the Board, or reporting directly to it, or someone on it – more to follow
• From that, having clearly defined terms of reference for the Risk Management Function – which should encompass elements of the first and third lines as appropriate
• Ensure your organisations know how to harness the skills within the Risk Management team to optimum effect
• Maintaining the momentum in the light of SII implementation delays – a working assumption has to be that SII is coming
• Convincing the organisation of the value of living it now!
A fair few – what do these mean in practice?
The role of Risk Management in supporting the Board and the business
• Risk Management should be embedded – so what does this mean?
• Risk Management is not the Risk Management team alone
• The Risk Management team is an enabler for Risk Management activity
• Accordingly, effective Risk Management activity cannot be abdicated to the Risk Management team, or merely “bolted on” to existing business activity
• SII recognises that the Risk Management Function, however defined, has responsibility for many elements of Internal Model Governance – Scope, Change, Validation – a terrific mandate for facilitating the alignment of the two disciplines
• “Function” is the operative word. Risk Management should function, not just be. It is a process.
• Risk Management should be defined, positioned and structured appropriately to be able to fulfil its obligations and actively support the Board fulfil theirs.
Risk Management is well placed to underpin the Board – provided it is well embedded
How should Risk Managers help their Boards?
• Ensure there are properly defined Terms of Reference (mentioned earlier – distinguish between the Team and the Function
• Risk Management has a key role to play in the following, as well as day to day activity;-
– Business Planning – Risk Management informs the process and monitors business performance
– Strategic initiatives – they can have major capital implications
• Ensure the reporting line affords you an appropriate profile and feedback loop, either on the Board or reporting to it – as well as the requisite independence
• If not, ensure Risk Management is covered during the Board meetings - not at the end
• Get the structure and balance of your team right – remember your “virtual” team as well!
• Educate, educate, educate – this never ends – from top table to grass roots
Maintain visibility – it is key in fulfilling these responsibilities
How should Risk Managers inform their Boards?
• Engage up front in defining what the Board wants, why and when
• Ensure there is a common and consistent language
– Keep jargon to a minimum
– Once established, stick to it
• Present concise Management Information – not Data
– Less is more
– Provide detail by all means, but keep key information to a few pages – or even only one
– Ensure your Key Risk Indicators do address your Key Risks
– Ensure any “Reds” are sufficiently material to warrant discussion and corrective action
– Test the impact – did the MI drive action?
• Internal Model Outputs – for example
– Sensitivity tests – can show the impact of decisions on Risk Indicators/Capital Usage
– Risk Ranking and allocation of capital to individual risks or risk categories is a lever to prioritise risks
Taking risks has capital implications – we need to know how much – by managing risks in this way, we can take more of them!
The Risk Management Function in the organisational hierarchy – does it matter?
• Yes, for the reasons already outlined – but that’s not all
• The Risk Management Function should be purely second line of defence – if properly embedded it should support, challenge, embed – not do it all
• It should maintain its independence in order to be objective
• There is no hard and fast rule as to how this is done – it will depend on the organisation and it may need to change/adapt over time
• However, the days of Risk Management as a siloed, discreet bunch of “bolt on” people are gone – Risk Management is a “virtual team” – being the whole organisation
Thoughts?
Summary and Conclusion
• The responsibilities of the Risk Management Function under Solvency II are clear and unchanged
• They are nothing really new, merely a clearer mandate to embed ERM
• The Three Lines of Defence model as traditionally defined implies demarcation between the three lines
• This has limited appropriateness in a Solvency II world – the three lines of defence model is less discrete, more continuous and less “clear cut” – Risk Management should recognise this when engaging with the business
• The Risk Management Function in the second linee is in a unique position to support, challenge, embed and is well placed to do so
• The impetus should remain notwithstanding the delays to the timetable
And finally….
Thank you for listening Any questions?
DDI +44 (0) 20 7780 5882
www.rqih.com
Related Documents
