Solvency II and Risk Management: approach Stefano Ferri Group Chief Risk Officer CETIF Milan, May 23 rd 2012
Strengthening of the Risk Management System in light of Solvency II 2 SOLVENCY II Solvency (Technical Reserves, MCR, SCR) Pillar I Governance (active role of the Top Management, Own overall assessment of the risks) Pillar II Communication (communication flows and transparency to the market and to the supervisors) Pillar III has developed a comprehensive and integrated framework to address all areas of intervention towards Solvency II. In terms of Risk Governance latest improvements include: Risk Organization: o Alignment of the risk management system of the Italian companies to the target model adopted by the Corporate Centre o Definition of links between the Group Risk Management and the local risk management functions Further strengthening of the Internal Model (IM framework), with particular focus on Internal Model Validation processes and consolidation of IT infrastructure. ORSA Project: ORSA Report roll out with a Pilot test on selected Group companies Interaction with Supervisory authorities at Group level (College of Supervisors) and first meetings with the individual Supervisors of countries in scope (Italy, Austria, Germany, France, Spain, Ireland, Czech Republic) Focus of this session will be on: Risk Organization ORSA Project and IM Framework
Solvency II System of Governance Overall framework 3 Board of Directors Strategy, performance target and risk appetite DOING OVERSIGHT ASSURANCE 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense Risk Ownership Risk Management (Risk Control) Independent Assurance Delegated authority from the board to develop and implement the strategy, measure and manage business performance, and ensure that the business is managed within the agreed risk appetite. It is responsible for the implementation of the risk management framework. Provides objective oversight of the management of risk. Key activities: Assists the BoD and the Top Management in granting the effectiveness of the overall risk management system, therefore providing advices on strategic issues Supports the design and deployment of the overall risk management framework across the organisation Monitors the risk management system maintaining an enterprise-wide view of the risk profile Provides reporting of the risk exposure to the various risks Provides independent and objective assurance over the effectiveness of corporate standard and business compliance including assurance that the risk management processes are functioning as designed and identifies improvement opportunities Risk management system Own Risk and Solvency Assessment (ORSA) Internal control framework The three lines of defense model grants the independence of the risk monitoring and oversight function from the risk taking units, as well as providing a fully independent internal audit.
Solvency II System of Governance Board of Directors role 4 Given the overall regulatory requirements coming from the entry in force of Solvency II, particular reference is given to the central role of the Board of Directors (AMSB) within the Company system of governance. This implies in particular: Increased awareness of risks and embedding of risk culture in the decision making (Dir. Art 120, Use Test): multi-level training program; Written policies for a significant part of the company system of governance and in particular for risk management (Dir. Art. 41 and 44); Strengthening of the risk management system, also by enhancing the role of the Risk Management function (Dir. Art. 44): ORSA and Internal Model Framework.
multi-level training program 5 The Solvency II Training Initiative is developed by the Solvency II project team and the affected business areas. It is aimed at providing staff with the technical knowledge and cultural perspective that will be required to produce the results demanded by the Solvency II regulation. The contents are managed centrally and structured in modules, where the topics presented are increasingly detailed according to the identified target population and delivered through different tools to achieve the deepest understanding on the discussed topics. CHANGE MANAGEMENT - SOLVENCY II TRAINING INITIATIVE CORPORATE Board of Directors/Senior management - Aimed at guaranteeing the understanding of the Internal Model USE TEST - UNDERSTANDING REQUIREMENTS TECHNICAL Technical people - Aimed at providing technical insights structured in an e- learning course, with specific workshops RISK CULTURE CULTURAL All employees - Aimed at providing all employees with a general overview on the Solvency II impacts
Written Policies and Documentation Tree 6 WRITTEN POLICIES provide principles and define the high level strategy Risk Related Documents Group ICRMS Risk Management Group Internal Control Group Internal Audit Outsourcing Remuneration Business Continuity 1 st LEVEL POLICIES Defined on the basis of the Art. 41 and 44 of the Directive (and related to Level 2 and Level 3 Implementing measures). Should be approved by the administrative, management or supervisory body (AMSB). Non Life Underwriting Life Underwriting Operational Risk Management IM Change IM Governance Data Validation Reinsurance ALM Liquidity Investment 2 nd LEVEL POLICIES Required by the regulation or mentioned in the 1 st level policy they refer to. Explain more deeply a specific topic of the upper level. Should be approved by the AMSB. LISTS NOT EXHAUSTIVE Group IT Security Risk Guidelines Guidelines related to IM (e.g. Tests & Standards) Company Operating Handbook (Life-Non Life Finance) EBS and RAC Methodology Non-Life Pricing Risk Curve Parameterisation Methodology GUIDELINES Provide operating rules, minimum standards/ contents or limits. A formal approval is required (Advisory Committees or Top Management) OPERATING DOCUMENTS Issued by the specific technical functions (both at Group or Company level) to address key issues related to operating activities/ business. Provide detailed descriptions or instructions to be fulfilled. Additional REPORTING DOCUMENT provide reporting and disclosure documents, usually mentioned (and/ or attached) in a Policy, Guidelines or Operating Document.
Mission of the Risk Management 7 The objective is to facilitate the achievement of the business targets through the optimization of risk management based on a common risk culture. Definition of risk: risk relates to the possibility to take opportunities or not to achieve strategic and business targets due to internal / external events. In Chinese the word risk is a combination of. threat opportunity RISK MANAGEMENT IS NOT ONLY FOCUSED ON CAPITAL AND SOLVENCY Risk Management Function leads the processes of the risk management system: identification and valuation of the risks, risk strategy definition, management (control and mitigation of the risks also through an adequate organization), reporting. It is characterized by a holistic approach to risk management aimed at conveying a cross and integrated vision of risks ( risk comes from what is unknown ); The Risk Management Function plays a role of oversight (second line of defense) and at the same time it is: A control function (risk controlling) not involved in operating activities to ensure an effective risk monitoring; A business partner (risk advisor) to support business activity.
Evolution of the Group Risk Management Function 8 Performed both at Corporate Centre and local entities level, GROUP RISK MANAGEMENT REORGANIZATION sets a further strengthening of the system in order to: facilitate the process to achieve the compliance with respect to Solvency II system; to be aligned to the international best practices considering the trends of the main peers and the expectations of the Supervisory Authorities. In particular, Group Risk Management is structured into: RISK MANAGEMENT FRAMEWORK (Strategy, Models and Methodologies); RISK CONTROLLING (Governance, Processes, Controlling and Validation); OPERATIONAL RISK (Operational Risk management). ITALIAN ENTITIES LOCAL FOREIGN ENTITIES o Further centralization to the Corporate Centre of risk management activities o Strengthening of the communication process of Group Guidelines and monitoring actions on their compliant implementation o Within the Group Risk Management Function creation of a dedicated structure for Italian entities developed on the main geographical areas (MI-TO, RM, TS-MV) o o Definition of dotted lines between local and group risk management functions Involvement of the Corporate Centre in decision-making processes of the local Risk Management
Evolution of the Risk Management: main activities performed 9 Align the risk management system of the Italian companies to the target model adopted by the Corporate Centre roles and responsibilities related to the internal model and operational risks; greater support to the companies; definition of links with the Group Risk Management in line with organizational model adopted by the other control functions (Internal Audit and Compliance function). Definition of links between the Group Risk Management and the local risk management functions distinguishing between owned companies, Joint venture, Branches, Extra-EU companies; identifying the links with risk management functions of the other financial institutions (Generali investments, Banca Generali, BSI); defining the content of the dotted lines: direction and coordination; involvement within the processes related to the assignment/resignation, valuation and remuneration. Design of the roll-out plan identifying short-term targets (quick wins) and target model.
Organizational structure of the Group Risk Management 10 Since March 2012, a new function has been created - directly reporting to the CRO and organized according to geographical areas - aimed at aligning the risk management system of the Italian companies to the target risk management system model adopted by the Corporate Centre. Group Risk Management GROUP CRO Activities at Corporate Centre level Activities for Italian entities RISK MANAGEMENT FRAMEWORK RISK CONTROLLING OPERATIONAL RISK STRATEGY, MODELS, METHODOLOGIES GOVERNANCE, PROCESSES, CONTROLLING VALIDATION & Risk Management Assicurativo Centro-Sud Risk Management Assicurativo Nord-Ovest Risk Management Assicurativo Nord-Est Coordination and alignment of activities
Dotted lines between Group Risk Management and local (foreign) entities 11 Corporate Centre Entity level Local Entity Group CRO Local CRO Dotted lines between Group Risk Management and local foreign entities are intended as follows: 1. Direction and coordination Local functions are subjected to direction and coordination by the Group Risk Management (Corporate Centre). Direction and coordination is implemented trough : definition of Group guidelines and standards which the local function should comply with; ruled interaction between Group Committees and local ones through: escalation procedures toward Group structures; participation of Group representatives to local Committees; communication flows and periodical reporting from and to the Group Risk Management. 2. Involvement within the processes related to the assignment/resignation, valuation and remuneration the elements assumed to valuate and remunerate the local function are partially defined by the Group function (level of intervention under development: Opinion on Compliance vs Opinion on Performance vs Veto Right, )
Direction and coordination: implementation tools 12 Definition of guidelines to address minimum standards local companies have to comply with in setting up local Risk Management function and in addressing its operating activities: scope: activity of the Risk Management System whose execution is under the responsibility of the Risk Management function; Strategies, Models and Methodologies (implement Group guidelines to cascade Risk Strategy, implement Internal Model adoption as well as risk indicators, risk advisory roles, ); Governance, Processes, Control and Validation (implement Risk Management System, written risk policies, monitor operation limits, coordinate internal model validation activities, ); Operational risks (coordinate / implement the activities to identify, classify and valuate operational risks, implement Group Guidelines to manage operational risks, collect and rationalize operational risks information). organizational principles: main characteristics and constraints of the local Risk Management functions; endorsement of the Group minimum standards within Risk Management Function Rules ( Terms of Reference ); no conflict of interests (e.g. the person responsible of risk management should not have operating responsibilities, should not report to the responsible of the investments); variable remuneration not based on operating performance; dotted line to the Administrative, Management or Supervisory Body (AMSB); free access to the AMSB and to the Group Risk Management. connections with Corporate Centre: procedures according to communication flows with the Group Risk Management have to be managed. reporting on the correct implementation of the Risk Management System (correct adoption of the Internal Control and Risk Management System, of the Risk Management Policy as well as of the all the written risk policies, reporting on Group Risk Guidelines, etc ); periodical information on local risk committees and on risk topics discussed by the local AMSB; escalation procedures.
Internal Model Framework enhancement 13 Internal Model (IM): USE TEST STATISTICAL QUALITY STANDARD DOCUMENTATION STANDARD CALIBRATION STANDARD VALIDATION STANDARD PROFIT AND LOSS ATTRIBUTION is not only limited to the mathematical/economic/actuarial model (calculation kernel) for the assessment of the capital requirement. also includes all tools related to the tests and standards, with the purpose of integrating and enhancing the risk management system. In light of the overall strengthening of IM processes and governance, the following activities aiming at enhancing the model validation framework have been performed: Use Test: definition and formalization of all decision making processes that require a full consideration of IM results; development of a training program; Documentation: enhancement of the documentation tree from policies being approved by local entities to operating guidelines and methodologies; Profit and Loss attribution: methodology definition for economic (not accounting) profit and losses by risks / link to decision making; Calibration and SQS: further finalization in light of the overall validation process overarching all IM tests and standards.
Own Risk and Solvency Assessment (ORSA) 14 ORSA is not limited to the production of a report, instead it consists of the set of processes and procedures used to identify, assess, monitor, manage and develop the reporting of risks which a company may, or may be exposed to in the short and long term and calculate own funds to meet the overall solvency needs, ensuring the solvency of the company at any time. In particular, ORSA Process leverages on existing processes already well established in the Group (e.g. Strategic Planning, Capital Management, Strategic Asset Allocation, Liquidity Management, ). Compared to the current already existing internal ERM reporting, ORSA Report adds to the overall assessment of the risk management system and the risk profile: the Main Risk Self Assessment, being a set of methodologies for the assessment of quantitative and qualitative Non Pillar I risks; the forward looking perspective including the Economic Solvency projection over the time horizon considered in the strategic planning process.
ORSA process main roles and responsibilities 15 Group Risk Committee AMSB ORSA Policy approval ORSA Policy definition (Group Level) Main contributors: Risk Committee Risk Management Strategic Planning Technical Insurance Area Finance Compliance Financial Reporting Audit Risk Management / Strategic Planning Process design/ implementation Risk Management / Strategic Planning AMSB Sign off Risk Management Process running/ output production CFO / Risk Management / Risk Committee Process validation Results validation
ORSA project structure 16 Phase I ORSA Concepts Phase II ORSA Mock-up & Pilot Test Phase III ORSA Report roll-out Definition of an ORSA Vision to draw up the ORSA framework both at Corporate Centre and BU Level. ORSA Vision has been further improved in the: ORSA Policy (principles and Governance) ORSA Methodology (details of the processes, integration with other processes and timeline, projection of capital, assessment of the qualitative risks). Definition of an ORSA Mock-up as a common reporting template of the ORSA Report. Launch a Pilot in 2011 to test and fine-tune the Mock-up in order to define the template of the ORSA Report: Participation of 1 Italian and foreign companies belonging to 4 main countries, structured interaction with Corporate Centre during execution phase Review of reports within Corporate Centre and full sharing of the results with the companies Subsequent refinement of the Mock up. Execution of the ORSA Report (replacing ERM Reports) by all Group entities Subgroup reporting keeping detailed quantitative templates also considering Supervisors views Consolidated Group ORSA Report planned for 2012.
ORSA Report - structure of the document 17 By considering the regulatory framework and the results of the ORSA Pilot exercise the following structure has been developed: In the Executive Summary the approach, contents and final results are presented, with the aim of allowing an immediate and complete overview of the contents of the document. Targeted to the BoD and Supervisors, the Executive Summary should have an ideal length between 10 and 20 pages.
PILLAR II planned developments 18 Approaching ORSA at Group Level: ORSA Group Report Full embedding of risk culture within decision making processes (ORSA, Use Test) by appropriately following Solvency II master plan of activities and developments in the Pre-application process.