Enterprise Risk Management and Solvency II
by Andy Davies
There is a great deal that the insurance sector has to come to terms with as it addresses the implications of Solvency II. There are broad general questions such as: What does it all mean? How will it be achieved and its requirements met? How much will it cost both from a capital and a monetary perspective? What resources are required? Then there is the related issue of how the International Financial Reporting Standards will fit with Solvency II.
Enterprise Risk Management: Culture Is the Key
Rating agencies, analysts, shareholders, and regulators are all taking more interest in capital models and enterprise risk management (ERM). Effective ERM acts as the common thread that links balance sheet strength, operating performance and business profile."1
In an ideal ERM model, the risk management group will work with the board and all employees to ensure that their organization has effective ERM. It is fair to say that the majority of companies today have some form of ERM, but it is also true that for many this is an area that needs further development.
ERM is not about finding the perfect model, it is about having a strong risk- management culture which ensures that risk is understood, controlled, and effectively communicated. Effective ERM should be part of an insurance company's DNA.
The key components of ERM are:
Aligning risk appetite and strategy;
• Enhancing risk response decisions;
• Reducing operational surprises and losses;
• Identifying and managing multiple and cross-enterprise risks;
• Seizing opportunities;
• Improving the deployment of capital.
Management should consider the company's risk appetite in evaluating its strategy, setting objectives, and developing mechanisms to manage related risks. ERM provides the rigour to identify and select alternative responses to risk-such as risk avoidance, risk reduction, risk sharing, and risk acceptance. Through ERM, companies enhance their ability to identify potential events and establish responses, thereby reducing surprises and associated costs or losses.
Every company faces a variety of risks that affect different parts of the organization, and ERM facilitates effective responses to such multiple risks. By considering a full range of potential events, management can identify and proactively realize opportunities.
Finally, obtaining robust risk information allows management to assess overall capital needs effectively and enhance capital allocation.
ERM and Solvency II
Solvency II is based on three "pillars". Pillar 1 is about capital requirements and the triggers for supervisory action. Pillar 2 focuses on the supervisory activities of regulators, based on organisational and governance requirements. Pillar 3 covers additional disclosures that supervisors may need to carry out their regulatory function. Under Solvency II, the concept of an "internal model" effectively refers to an enterprise-wide risk management framework. It covers both the quantitative requirements of Pillar 1 and the organizational and governance requirements of Pillar 2.
The broad thrust of an internal model is to use an economic capital model, accompanied by the embedding and effective management of risk, driven from the board to the front line.
It is important to remember the context and immediate historical backdrop against which the insurance sector is working. It is undeniable, for example, that the industry has had problems with risk assessment and modelling in recent years. The 2005 hurricane damage payouts and the current credit crisis put significant stress on capital and liquidity requirements for many companies. This makes discussion of capital adequacy regimes a very strong necessity, not just an academic exercise.
However, as insurance company boards try to square up to these issues-and there are many of them-there is a real danger of overcomplicating certain processes and of critical data being obscured by information overload. Having a complex model is no guarantee of success, as the crises experienced by several banks will testify. Instead, what is really critical is to ensure that the insurer's approach to risk management is simple enough for all staff to understand and engage with, and that it is also effective enough to add real value. The concept of "proportionality" is specifically enshrined within the proposed European Directive for Solvency II, so there is regulatory recognition that we do not need to over-elaborate.
Risk management will only be fully effective if people throughout the organization receive clear, consistent messages from leadership and understand what they need to do. It starts at the top, and senior management need to develop a unified view, common language, policies, and appropriate governance structures.
The recent testimony of Paul Moore, former head of Group Regulatory Risk at HBOS, makes clear the importance of culture in risk management. Moore commented that "Being an internal risk and compliance manager at the time felt a bit like being a man in a rowing boat trying to slow down an oil tanker."2 If the culture is wrong, then even the most sophisticated model will be ineffective.
Markel Corporation, the company for which I work, is a relatively small company with 400 employees.3 It therefore has a very flat organization structure, enabling close interaction between board and employees. This is very helpful as all employees can be given clear and consistent messages in a common language. We are committed to creating an environment in which risk is managed effectively. The Markel style, which articulates our core values, includes statements that "we will build the financial value of our company," which implies a steady, cautious approach to risk, and "we are encouraged to challenge management...we have the ability to make decisions or alter a course quickly," which empowers discussions of strategy. As both US and UK management "walk the talk," this culture facilitates a risk-focused approach for all employees.
Figure 1 highlights that a clear articulation of risk strategy and risk appetite is an essential starting point in embedding risk management across an organization. These statements of corporate objectives act as the fundamental reference point against which all risk-taking and risk-mitigation activity within an organization should be benchmarked. They provide governance and define boundaries within which risk-based decision-making can occur, and provide a clear framework for the selection of one course of action over another.
Policies, risk strategy, and risk appetite are set at board level, and this is embedded into the annual and day-to-day activities of the business. These activities are analyzed through various risk maps, capital models, and sensitivity metrics. In addition, external factors such as market movements and the actions of competitors are communicated to the business. The model at Markel that is shown in Figure 2 splits the business into two components-underwriting and investing. As a consequence there are several key committees and meetings. These are:
IBNR (incurred but not reported losses) and P&L meetings, at which
all aspects of underwriting and reserving are discussed.
• Investment Committee meetings, where all aspects of the company's investment performance and strategy are discussed.
• And in the middle there are the Capital and Risk Committees, which look at the company's risk and capital management.
The IBNR and P&L meetings are crucial to the way Markel operates. A thorough and robust reserving process is the cornerstone of a successful organization. It is important that underwriters and management agree on the IBNR results as this ensures that there is one version of the truth. Having two sets of numbers causes confusion, wastes time, and results in poor decision-making.
The meetings need to be held on a consistent and regular basis. At Markel, IBNR meetings are held quarterly, and the P&L meetings are held on a monthly basis. The IBNR packs and P&L statements show the combined ratio and the required return on risk-adjusted capital by line of business. They include all allocated expenses so that the underwriters understand the full cost of writing their business.
The IBNR and P&L meetings are attended by senior management and underwriters and are a crucial part of the business culture at Markel. They are used to identify lines of business that are not achieving profitability and required return on capital targets so that appropriate action can be taken at the earliest opportunity.
It is crucial that the results of all these meetings are embedded in the management and financial reporting and also in the capital management of the business.
Finally, the activities and results of the business are fed back to the board through effective risk management and reporting.
The results are a key driver in deciding the remuneration of underwriters. Part of our underwriters' remuneration is phased over a period of years, which thus provides a safeguard against underwriting strategies that appear profitable in the short term but ultimately deteriorate. The alignment of risk management with remuneration strategy is an essential part of the effective embedding of ERM.
Capital Allocation and Management
The standard model for the majority of companies in the United Kingdom today is a product of the Individual Capital Assessment (ICA) regime, introduced by the Financial Services Authority while it waited for Europe to refine and introduce Solvency II. The implementation of ICA has been a significant step forward in delivering more risk-based capital management and has gone a good way to help meet the challenges of Solvency II.
Figure 3 highlights that for a nonlife company the basic capital requirement is split into four risk categories:
• Insurance risk;
• Liquidity risk;
• Market risk;
• Credit risk.
The capital assigned to these risk categories is used to produce the basic capital requirement of the company, and in most cases the capital required is calculated through a combination of stress and scenario tests and a capital model. Operational and group risk are added to the basic capital requirement to produce the company's total capital requirement.
Although this model has been successful in getting companies through the ICA regime, it will not be sufficient to meet the requirements of Solvency II. In addition, ICA models suffer from the fact that for the most part they have been developed and owned by the finance and actuarial departments in companies. As a consequence, there has been minimal embedding into the rest of the business. At Markel, our ICA process has always been multi-disciplined, with a number of stakeholders involved. However, we are embedding the process further. Individual members of the Capital and Risk Committee work with the Board, underwriters, and investment managers to ensure that they understand the capital being allocated to them and the risk-adjusted returns required.
The key to effective capital management is to ensure:
• that it drives the decision-making process, ensuring optimal use of capital;
• that it is embedded into the business. It needs to be a key driver in strategy and planning, acquisitions, new lines of business, and legacy claims management. This is an area that needs a considerable amount of effort, but the benefits are considerable. This area is key to achieving the objectives of Solvency II;
• that people are rewarded by return on capital. People will take more of an interest if their bonuses are dependent on it, so ensure that the bonuses of underwriters and senior management are calculated by return on capital;
• that the model is transparent and well documented. Too many models act as a black box whose results cannot be explained;
• that financial and nonfinancial information used by the model and the capital management team is consistent with the information used by the business. Different information causes confusion, wastes time, and will result in poor decisions being made. An organization cannot have a model that operates with stand-alone information-it needs to be embedded into all aspects of the business.
The goal should be to minimize group and operational risk through effective ERM. A prudent approach is to have minimal appetite for credit and liquidity risk and a reasonable appetite for market risk.
The last and most significant risk is reserve and underwriting risk. A sound approach here is to split the capital required for reserve and underwriting risk into two components: prior-year reserve risk and current business risk. Here one allocates capital to cover the uncertainty on prior-year insurance reserves. Again, one can try to reduce this capital requirement by establishing prudent case and IBNR reserves so that reserves are more likely to be redundant than deficient.
Capital is also allocated to underwriting the current business. This capital is allocated to each product line, enabling management to set combined ratio targets that achieve the required return on risk-adjusted capital. These combined ratio targets will vary according to the volatility, length of tail, and reinsurance usage of the product line. In addition, the combined ratio target will take into consideration diversification with other classes of business.
The combined ratio targets are used to benchmark underwriting performance, and they act as a key driver in the setting of underwriter and management bonus targets.
What Are the Implications of Solvency II?
The three-pillar approach of Solvency II works as follows. Pillar 1 deals with the quantitative capital requirements. It ensures that the valuation of assets and liabilities, and the calculation of capital requirements, are standardized. The areas covered are:
• Valuation of technical
• Minimum capital requirement;
• Solvency capital requirement;
• Investment rules
Pillar 2 deals with the qualitative side of Solvency II and focuses on
• The principles of
internal control and risk management;
• Individual risk and capital assessment;
• The supervisory review process.
Pillar 3 deals with disclosure requirements discipline and covers:
• Transparency and disclosure and the support of risk-based supervision through market mechanisms.
So what are the implications of Solvency II for capital management? Already we can see that there are problems.
Within Pillar 1 it is clear that the technical provision under Solvency II and IFRS (International Financial Reporting Standards) is calculated differently. This difference will be a potent source of confusion, additional cost, and wasted effort-and it needs to be resolved.
It is also clear that the communications effort required to implement Pillar 1 will not be trivial. How are the new technical provisions to be communicated and embedded in the business? How do you explain to underwriters that their loss ratio reflects discounting and a cost-of-capital adjustment? It took a long time for underwriters to understand combined ratios, so this will be a challenge.
The minimum capital requirement (MRC) set out in Solvency II fails to reward appropriate risk management due to its formulaic approach. It is also clear that in the majority of cases an internal capital model produces a lower solvency capital requirement, which means that there is a significant advantage to an organization in having its model approved. Finally, there are also significant implications for IT and data collection.
With Pillar 2 it is crucial that a company can demonstrate that it has effective ERM and that it is embedded in the business. Meeting the embedding or "use test" requires significant time and resources.
The main focus of Pillar 3 is disclosure, and therefore the implications of these disclosures need to be carefully thought through. These disclosures will include a report on:
Governance and risk management;
• Valuation principles applied for solvency purposes;
• The internal model: methodologies, assumptions, and validation;
• Capital requirements, with an account of the company's minimum capital requirement and solvency capital requirement (SCR) and any breaches during the year, plus a breakdown of the SCR standard formula and internal model calculations.
So how does the road ahead look? It is clear that the sector has a number of challenges to overcome and that a period of hard work lies ahead. An effective ERM model, as we have argued through this piece, should be fundamental to any approach to implementing Solvency II and will, of itself, bring tremendous benefits to organizations that work to embed ERM in their organization.
Making It Happen
• A strong management culture will ensure that risks are understood, controlled, and effectively communicated. Effective ERM is a key driver in Solvency II.
• It is crucial that capital and risk management are embedded in the business. These are the DNA of an insurance company.
• Return on risk-adjusted capital should be a key driver in the remuneration of underwriters and management.
• Considerable resources and expense are still required to develop a fully integrated model; however the capital benefits of doing so will be significant.
1. A. M. Best. "Risk management and the rating process for insurance companies." January 25, 2008. Online at: www.ambest.com/ratings/methodology/riskmanagement.pdf
2. Paul Moore, HBOS, "man in a rowing boat"
3. Markel International comprises the international operations of Markel Corporation, a US property casualty company listed on the New York Stock Exchange. It writes a variety of property, casualty, and marine insurance and reinsurance business through its two London-based platforms, Markel International Insurance Company and Markel Syndicate 3000.