Address by Director of Insurance Supervision, Sylvia Cronin to the Insurance Ireland’s Milliman CRO forum

Good morning and thank you to Insurance Ireland for inviting me here this morning to talk to you about some of the current and planned activity in the Insurance Directorate. I am pleased to have this opportunity to outline to you how we have reshaped and enhanced our supervisory strategy in order to align with Solvency II, and highlight areas of focus for supervision in 2016. Of course, a large part of our focus will be on the core areas of insurance risk such as underwriting, pricing, reserving and claims, and capital adequacy. To set the scene, I would like to spend a few moments discussing the recent changes that have taken place within the Insurance directorate. I also want to discuss at a high level, work undertaken with colleagues across the Central Bank around tailoring the PRISM engagement model to be more insurance specific and ensuring close alignment with Solvency II.

Insurance Directorate Restructure

PRISM and Solvency II

I want to take this opportunity today to speak about the redesign of our PRISM engagement model. You will all be familiar with the previous model where the level of engagement conducted by the supervision team is driven by the 'Impact' rating of your company or as some may see it, a measure of size. The 'new model' disaggregates the company into areas such as insurance, governance, or operational risks, and for each area takes into consideration both the size of your company and the riskiness of the area. Combining these 2 factors will now determine the level of engagement your supervisors will have with you on a given area.

So, 2 things have changed:

•  The probability risk scores which were formerly referred to as high, medium high, medium low and low are now numbered 1 to 4; with 1 equating to low risk and 4 equating to high risk for a given area; and secondly

•  The level of intensity, intrusiveness and frequency of the supervisory engagement you will experience will depend on a combination of the 2 factors; ranging from 'Intensive' to 'Basic'.

The impact of this change will mean that whereas in the previous model, a low or medium low impact firm could have a relatively high risk profile, and receive a low level of supervisory intervention, this new model will require a higher level of supervisory intervention, owing to the higher risk profile.

As was the case with the PRISM model which you are familiar with, the overall 'Risk Score' will be driven by a number of sub-risks such as governance, pricing, reserving, operational, and investment risk etc. What is new is that the engagement intensity score will also be applied at the individual sub-risk category level as opposed to just at the level of the firm. By way of an example, this might mean that where reserve risk is the issue giving cause for concern, then supervisory intervention is directed at that area, as opposed to looking at the other risks such as governance, etc. in equal measure.

We have also developed a bespoke model for companies with a Low impact rating. This reflects a move from reactive only supervision of low impact firms to a proportionate amount of pro-active supervision for those firms. Thematic reviews will be conducted on this category of firms by the on-site inspections team going forward and this model has already commenced roll-out in Q1 this year. This will focus on governance, risk management and internal controls within low impact firms with a specific interest in outsourcing, intra-group transactions and reinsurance arrangements.

The changes reflect the new engagement model where it will now be possible to allocate more supervisory focus to a third party captive or a medium low rated reinsurer where their risk profiles suggest closer supervisory engagement. Similarly, where some high impact firms have a stable portfolio and risk profile, these may see less supervisory interaction.

Supervisory framework under Solvency II

So you may be asking 'What does that mean for me, as CRO?' I would recommend that each firm contact your dedicated supervision team about the specific engagement plan for your company in 2016. They will be in a position to inform you as to which level of engagement your firm is rated as requiring and advise you of the areas of focus for the upcoming year.

At a high level it will mean the level of intensity of supervision will increase in the following areas:

•  More focused and searching interviews with the executives and non-executives of the company;

• You will be familiar with terminology such as Financial Risk Reviews (FRRs) or Financial Risk Assessments (FRAs). These will now be replaced with what are referred to as Targeted Risk Assessments which will focus on key Solvency II risk areas such as pricing, reserving, capital risk, etc.
• There will be a definite focus on evidence gathering to support company assertions and an increased level of on-site activity, so as to assess how a firm is actually run as opposed to how it is managed in a hierarchical sense. This on-site activity may be conducted by either the supervision team or the dedicated on-site inspections team. If it is the latter, you may expect to have the team on-site for a period of 4 to 6 weeks performing detailed testing, walk-throughs etc. to test the effectiveness of the key internal controls of your business. These teams will focus on areas identified as being of elevated risk.

Areas selected for on-site inspection in 2016 are underwriting, claims, embeddedness of risk management and operational risk. These will focus predominantly on the domestic life and non-life sectors in 2016.

Industry and Solvency II

We recently published the Insurance Directorate’s list of priorities for 2016 on the Central Bank website. There is a focus on insurance risk, in the areas of pricing and reserving and how embedded risk management is in our regulated entities.

So, firstly what does ‘good’ risk management look like?
The Cranfield School of Management has recently completed a study of a number of organisations to identify the key principles of an effective risk management system to achieve resilience. These were noted to be:

• An ability to anticipate problems; 
• Adequate resources to respond to changing conditions and capacity to respond quickly to an incident;
• Free flow of information right up to Board level; and
• Willingness to learn from experience.

The risk function is critical to success of your business and plays a central role of challenge and oversight. The role of the CRO requires an individual that can juggle all the stakeholders and the risks across the business.

The risk function and the CRO is challenged with:

• Bringing the Risk Management framework to life. The CRO and team must spread the risk management ethos and risk culture of your company down into every aspect of the business. Identifying, measuring, managing and monitoring risk must become second nature in the decision making and daily operations of the people in the business, or what is commonly referred to as the first line of defence; and

• Equally the CRO must drive risk management at the senior executive and Board level. The CRO is responsible for bringing all of a company's risk management information together in a meaningful and cohesive manner. This allows Board members to understand and monitor the risk profile and potential exposures of the business and therefore equip them to make appropriate and informed strategic decisions. While to date, there may have been a focus on the individual components of the Risk Management framework such as the Risk Appetite Statement ('RAS'), the Risk Register, Risk Tolerances, Risk Policy etc., it is imperative that the CRO can bring all of these pieces together for the Risk Committee and the Board of Directors.

I cannot over-emphasise the importance of the overall risk management system and that this is not a single individual. It can be very difficult to be a perpetual challenger when in a gatekeeper role. Therefore, the CRO should leverage your relationship with the Head of Actuarial Function (HOAF) and this should develop into a natural partnership.

From a supervisory perspective when assessing the maturity of risk management frameworks we will be focused on evidence of risk management in practice. In preparation for Solvency II much of the focus was on the design of risk management frameworks. Now that Solvency II is live we will look to see evidence of this living and breathing in practice, such as evidence of:

• The ORSA process - records of workshops, meetings with the business on risk and scenario identification, minutes of Board meetings which reflect risk based decision making;
• Risk analyses as a key component in strategic capital and business planning;
• Appropriate risk MI being provided to the board which is reflective of the peculiarities of the company as well the external operating environment. For example, pricing metrics in the risk appetite statement for domestic non-life companies needs to be appropriate in light of universal rate increases; and
• Risk governance in relation to on-going monitoring of the appropriateness and suitability of either the standard formula or an approved internal model to the risk profile of your business, whichever is relevant. In addition to this, evidence of the 'human challenge' of such models.

These are some of our overarching thoughts on risk management in the wider sense. There will also be a focus on the following risk areas by the Insurance Directorate in 2016.

Insurance Risk: Pricing and reserving risks are at the core of insurance companies. This will be an area of focus for the Directorate in 2016. We will take a multi-faceted approach to the supervision of these risks utilising a combination of approaches:

• the supervision teams will carry out Targeted Risk Assessments;
• the actuarial team will perform a thematic motor insurance pricing oversight and governance review; and
• the on-site inspection team will perform in-depth inspections of the internal control frameworks of the claims management and underwriting functions within domestic non-life companies.

In addition to the core insurance risks, we will also focus on the area of operational risk and further develop our supervision of product oversight and governance and group risk.

Group Risk

As would have been noted at this forum previously many of the companies supervised by the Central Bank are members of larger groups. This brings with it a Parent/Subsidiary dynamic. With this in mind the Central Bank will be cognisant that many groups may have their own internal economic measures and global risk appetite, permeated down to its subsidiaries worldwide. It will be important that Irish and European subsidiaries also measure their risk appetite on a Solvency II basis and ensure that intra-group concentrations and exposures are adequately captured and monitored as part of the local entity RAS.

Group risk may also emerge through intra-group financial transactions such as reinsurance, loans, capital contributions etc. but also through intra-group operational interdependencies on critical functions, which may create additional operational risk if these ‘in-souring’ arrangements are not monitored with the same vigilance as a third party outsourcing arrangement.

As the CRO you will also be challenged to achieve consistency and alignment to the group practices while also maintaining a ‘local’ independent mind-set. The local CRO will need to maintain the concept of ‘local’ challenge to the group risk function from the ‘local’ subsidiary perspective, while also delivering on consistency with the group risk management. It is important that the CRO does not neglect this concept of independent challenge in risk management while delivering this mandate.

Looking forward

I would like to finish this morning by considering some other topics of interest on the supervisory horizon.

Culture

One of these areas is Culture. This is an area of increasing interest in the industry and for supervisors. Of course there are different types of cultures and sub-cultures within organisations. These can range from the culture in the Board room to the culture of business units. 

You might ask why am I speaking about culture at a CRO forum?

Behaviour and culture are integral parts of the bigger organisational picture of a financial institution and in a Solvency II environment, risk culture is key.

Everyone within a company has a role in ensuring that personnel live and breathe their articulated cultures. Pivotal to the communication of the risk culture is the CRO. The strength of character of this person will often determine how embedded risk management practices and attitudes become across an organisation. A sound risk culture should promote effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement. In performance of your role, the CRO should lead this by example and challenge the status quo from a risk management perspective, whilst maintaining independence of mind.

A common cultural problem is the ‘normalisation’ of misbehaviour – staff can reach targets by bending rules, but nobody blows the whistle and senior management do not intervene. . An organisation’s culture must challenge established practices and encourage transparency and open dialogue between, management and the Board, and management and staff at all levels Staff in all parts of your business need to feel that they work in an environment where speaking honestly is appreciated, not frowned upon or punished. This openness for mistakes should be championed by senior leaders, including the CRO. A culture of avoidance can be detrimental to the risk management governance systems and culture.

Cyber Risk

Cyber security is increasingly a concern for CROs, demonstrated by a series of recent high profile breaches. Cyber events are becoming more frequent because organisations are getting more complex, more global and changing more rapidly. Business models are changing, as are supply chains, use of technology is evolving and it is amplifying a potential for failure in the future. This is a very real risk and firms need to increase not only their level of sophistication on how to manage this risk but also how they are identifying, reporting and monitoring this risk.

From a regulatory perspective Cyber Risk is also on our agenda, it is likely that there will be a Central Bank wide thematic review across the financial sector, which will include insurance undertakings.

External Environment

Of course it is also essential that we all continue to monitor developments in the external environment and we would expect that companies would query and investigate how external risks/events may impact your individual entity. These risks could emanate from the legal and political environment or may be driven by volatility in the financial markets. An example would include the possibility of ‘Brexit’ – what impact could this potentially have on your business model? Whether you are a domestic Irish firm, a cross border firm operating in the UK or part of an international group, such a scenario and the range of management actions open to the firm needs to be considered and thought through.

It will be key to track financial market volatility more closely than ever in a Solvency II environment, in particular the credit quality and liquidity of your investment portfolios. There are indications that credit quality is deteriorating and careful monitoring of the asset portfolio is critical. It is important that companies ‘look through’ their bond portfolios and be in a position to assess the quality of these assets and any potential exposure to highly leveraged sectors.

I’ll turn now to the ORSA process and some work that we have recently completed to review the Forward-looking Assessments that we received in 2015. So far our work has been focused on reviewing the reports received rather than reviewing the actual ORSA process, which is more important in driving an appropriate risk management culture in companies.

As you know, the first assessments were compiled by firms during 2014 and in May of last year, we wrote a ‘Dear CEO’ letter to industry with some observations about those reports and about new requirements that we expected to see in the 2015 versions.

Since May last year, we have reviewed in outline 24 reports from high and medium-high PRISM category firms. Detailed reviews of individual reports are also being carried out and higher impact firms can expect to receive individual feedback. For now, I am going to talk about general findings. I’ll discuss the results in two parts. First, how the points raised in the Dear CEO letter were handled and then some observations about the 2015 reports which should inform this year’s ORSA process and reporting.

Boards should be involved in steering their firm’s ORSA process and not just signing off a final report. In about half of the reports, it seems that Boards are playing a more central role in the ORSA process. This has been concluded from explicit statements in the report or in some cases it is obvious from the report’s style. Where the report didn’t cover this point, a review of Board or Risk Committee minutes may demonstrate that Boards were heavily involved.

Secondly, we stressed that firms should be assessing all material risks, quantifiable and non-quantifiable, that they face, and either quantify them or set out a plan to handle them. The range of risks and the extent to which they are considered varies by firm. In some cases, there were comprehensive lists of risks being considered, including not just the risks listed in the Dear CEO letter, but a host of others, relevant to the circumstances of individual firms.

This is very positive and is exactly the purpose of the own risk assessment. Combined with the board point mentioned just now, there is clear evidence that some firms are well down the road of identifying and analysing all of the risks that their businesses face. There were some great examples of analysis and assessment, for example of pension scheme risk and operational risk.

For risks that are not managed by holding capital, we have seen some examples of comprehensive action plans being documented, for example for liquidity risk.

There are, inevitably, firms that are less far down this path. This may reflect a different, perhaps simpler and lower-risk business model. This assessment will be tested as individual supervisors continue to drill down into ORSA reports in detail.

The Dear CEO letter referred to the new requirement for 2015, which is the assessment of continuous compliance with the SCR. Around half the firms confirmed that they would continuously comply with the regulatory capital and technical provision requirements from the date of their report.

The other Dear CEO letter requirement, which had been incorporated by many in 2014, was to assess the degree to which the risk profile deviates from the assumptions underlying the SCR. In the Dear CEO letter, we asked firms to improve their documentation in this regard and this happened in around two-thirds of cases.

Finally, projections were generally performed over a three- to five-year time horizon, which meets the requirement for a medium or long term perspective, provided that time frame is appropriate for the business in question.

Turning to the results of the review of 2015 reports, first of all, it’s obvious that a significant amount of work has taken place, to implement the ORSA process and make it work.

So what did we think…

First, Overall Solvency Needs, as touched on earlier. In half of the reports, the firm’s solvency needs have been expressed as a buffer above the Solvency Capital Requirement (SCR). This is an appropriate response provided that the work has been done to evidence the capital required for all of the risks being faced by the firm. In particular, for 2016, firms should be thinking about how to express the capital needs of their strategies and how that affects their decision making.

In many cases, the opportunity has been taken to collate the documentation of the risk management framework, the strategy and the business plan. This is a useful exercise, and the fact that it is being carried out early on in the Solvency II journey, may well be useful for Boards also. In future reports, we would anticipate that there will be evidence of the testing of these frameworks and policies, and changes arising as a result. Furthermore, we do expect continuity between the base plans supporting one ORSA and the next. The own solvency and risk assessment has to have a realistic plan at its core.

The ORSA Reports received vary widely in length. Differences perhaps reflect the requirements of the firm’s ORSA process and of its Board. The key issue for us is whether all of the material risks have been considered and either quantified or planned for.

In summary, ORSA is a dynamic process, and we expect the reports to capture the dynamism of the risk management framework and its use firmwide.

In all cases, the 2015 supervisory reports presented were the same as the reports submitted to Boards. The quality of conclusions in the reports varies, which may simply reflect the Board’s continual involvement in the ORSA process, meaning that there will be no overarching conclusion or action because actions have been taken throughout the ORSA process. As the ORSA process becomes embedded, solvency assessment, strategic considerations and the resulting decisions should begin to happen together, so conclusions may emerge more naturally.

Most of the 2015 reports were received in the last calendar quarter of 2015, based on data as at 31 December 2014. That’s an awfully long time and it is worth considering how the ORSA process can be adjusted to give faster results. And it is worth remembering, if the risk profile changes, a mid-year ORSA is required. At the moment, that looks as if this would be a big ask for many firms.

Conclusions

In summary, ORSA is an evolution. There is evidence that firms have taken on board the feedback received to date and are implementing ORSA processes that are improving over time. We look forward to continued embedding and improving risk management practices.

That brings me to the end of my presentation today. I would like to round-up with some key messages from this morning.

• Companies can expect an increased level of supervision under the new PRISM engagement model, which may include an increased level of on-site activity; The focus of inspections will be in the areas of underwriting, claims and operational risk for the domestic companies;
• Now that Solvency II is live the supervisory focus will shift to looking for evidence that the risk management frameworks you have designed and put in place are operating in practice and that a risk culture is being driven from the top down;
• Areas in 2016 where you will note increased supervisory activity will be on pricing and reserving risk, operational and conduct risk and an enhanced engagement model around group supervision and group risk; and
• Finally, we will continue to engage with you on emerging risks, how these are identified by you, how these are treated in the ORSA and what are your plans on how to mitigate these risks.