What does the Second Line of Defence look like post Solvency II?

Susan YoungHead of Risk ManagementR&Q Managing Agency Limited 4th July 2013

Institute of Risk ManagementERM in Insurance Special Interest Group

Disclaimer

The opinions expressed in this presentation are my own and do not representthose of my organisation

Feel free to share yours

Session Outline

• The Risk Management Function under Solvency II

• The Three Lines of Defence Model

• Some thoughts

• The Three Lines of Defence in a SII world

• Observations and Challenges

• Challenges for Risk Management specifically

• The role of the Risk Management in supporting the Board and the business

• How should Risk Management help their Boards?

• How should Risk Management inform their Boards?

• The Risk Management Function the in organisational hierarchy – does it matter?

• Summary and Conclusion

• Questions

The Risk Management Function under SII –Framework Directive

• Insurance and reinsurance undertakings shall have in place an effective risk management systemcomprising strategies, processes and reporting procedures necessary to identify, measure, monitor,manage and report, on a continuous basis, the risks, at an individual and aggregated level, to which theyare or could be exposed, and their interdependencies

• That risk management system shall be effective and well integrated into the organisational structure andin the decision making processes of the insurance and reinsurance undertaking with proper considerationof the persons who effectively run the undertaking or have other key functions

(Section 2 Article 44 – Risk Management Function – The “what”)

To be continued….

The Risk Management Function under SII –Level 2• A clearly defined and well documented risk management strategy that includes the risk management objectives, key risk

management principles, general risk appetite and assignment of risk management responsibilities across all activities ofthe undertaking and is consistent with the undertaking’s overall business strategy

• Adequate written policies that include a definition and categorisation of the material risks faced by the undertaking, bytype, and the levels of acceptable risk limits for each risk type, implement the undertaking’s risk strategy, facilitate controlmechanisms and take into account the nature, scope and time horizon of the business and the risks associated with it

• Appropriate processes and procedures which enable the undertaking to identify, assess, manage, monitor and report therisks it is or might be exposed to

• Appropriate reporting procedures and feedback loops that ensure that information on the risk management system, whichis coordinated and challenged by the risk management function and is actively monitored and managed by all relevantstaff and the administrative, management or supervisory body

• Reports that are submitted to the administrative, management or supervisory body by the risk management function onthe material risks faced by the undertaking and of the risk management system, and

• A suitable own risk and solvency assessment (ORSA) process

(CEIOPS Doc 29/09 Level 2 Implementing Measures – the “how”)

Enterprise Risk Management in different clothes?

The Three Lines of Defence Model

• First Line of Defence - Day to Day Management and Control• Board of Directors• Functional Heads• Business Units

• Second Line of Defence – Oversight, policy and methodology• Committee and Governance Structure• Risk Management• Compliance• Actuarial• HR, Legal etc.

• Third Line of Defence – Independent Assurance• Audit Committee• External Audit• Internal Audit• Independent Peer Review (where appropriate)

Basel Committee Definitions

Some thoughts……

• Origins can be found in sport/military planning

• Implies three separate lines operating independently, each providing a “backstop” for the other

• Solvency II infers a much more integrated view of Risk Management particularly – more later

• Other definitions have “blurred the boundaries” – Actuarial, Finance, HR etc. often find their way into thefirst line of defence in some models

• Others have Risk Management as the first line, Internal Control as the second line and Internal Audit asthe Third Line

• The increased demands on Risk Management in particular is much more holistic in a SII world

• The Three Lines of Defence Model (and its operation) needs to reflect that

Its not as clear cut as three distinct lines. Nor should it be?

The Three Lines of Defence Model in aSolvency II world

RiskManagement

Board ofDirectors

SECOND LINEDirect

AssuranceCompliance,

Actuarial, Legaletc

THIRD LINEIndependent

Assurance(Internal

/External Audit,IndependentReview etc)

FIRST LINEThe Business

(Risk andControl Owners)

The “virtual team” in a SII world

Observations and Challenges

• Risk Management sits at the heart of much of how organisations operate in the new Solvency II world

• Regarding second line - what’s in what’s out? Does it matter? If so….

• Recognise the areas with first and second line “hats” and adapt style and approach accordingly

• Our ERM responsibilities have not changed – we merely have a clearer mandate to harness them – morelater

• First and third lines of defence (as traditionally defined) also form part of the Risk Management Function(even if not part of the Risk Management team)

• Risk Management is clearly in the second line however, we will examine the implications in a moment

A blurring of the boundaries – but surely this is a good thing?

Challenges for Risk Management specifically

• Wider ranging responsibilities – Governance of the Internal Model (where used) has required a broadening in ourskill set

• This reached beyond the traditional ERM “top down and joined up” approach to risk identification, mitigation,monitoring we all know and love – but the basic tenets of ERM do still apply

• Finding the right positioning within the organisation to make our voice heard – either on the Board, or reportingdirectly to it, or someone on it – more to follow

• From that, having clearly defined terms of reference for the Risk Management Function – which shouldencompass elements of the first and third lines as appropriate

• Ensure your organisations know how to harness the skills within the Risk Management team to optimum effect

• Maintaining the momentum in the light of SII implementation delays – a working assumption has to be that SII iscoming

• Convincing the organisation of the value of living it now!

A fair few – what do these mean in practice?

The role of Risk Management in supporting theBoard and the business• Risk Management should be embedded – so what does this mean?

• Risk Management is not the Risk Management team alone

• The Risk Management team is an enabler for Risk Management activity

• Accordingly, effective Risk Management activity cannot be abdicated to the RiskManagement team, or merely “bolted on” to existing business activity

• SII recognises that the Risk Management Function, however defined, has responsibilityfor many elements of Internal Model Governance – Scope, Change, Validation – aterrific mandate for facilitating the alignment of the two disciplines

• “Function” is the operative word. Risk Management should function, not just be. It is aprocess.

• Risk Management should be defined, positioned and structured appropriately to be ableto fulfil its obligations and actively support the Board fulfil theirs.

Risk Management is well placed to underpin the Board – provided it is well embedded

How should Risk Managers help their Boards?

• Ensure there are properly defined Terms of Reference (mentioned earlier – distinguish between the Teamand the Function

• Risk Management has a key role to play in the following, as well as day to day activity;-

– Business Planning – Risk Management informs the process and monitors business performance– Strategic initiatives – they can have major capital implications

• Ensure the reporting line affords you an appropriate profile and feedback loop, either on the Board orreporting to it – as well as the requisite independence

• If not, ensure Risk Management is covered during the Board meetings - not at the end

• Get the structure and balance of your team right – remember your “virtual” team as well!

• Educate, educate, educate – this never ends – from top table to grass roots

Maintain visibility – it is key in fulfilling these responsibilities

How should Risk Managers inform theirBoards?• Engage up front in defining what the Board wants, why and when

• Ensure there is a common and consistent language– Keep jargon to a minimum– Once established, stick to it

• Present concise Management Information – not Data– Less is more– Provide detail by all means, but keep key information to a few pages – or even only one– Ensure your Key Risk Indicators do address your Key Risks– Ensure any “Reds” are sufficiently material to warrant discussion and corrective action– Test the impact – did the MI drive action?

• Internal Model Outputs – for example– Sensitivity tests – can show the impact of decisions on Risk Indicators/Capital Usage– Risk Ranking and allocation of capital to individual risks or risk categories is a lever to prioritise risks

Taking risks has capital implications – we need to know how much – by managing risks in thisway, we can take more of them!

The Risk Management Function in theorganisational hierarchy – does it matter?

• Yes, for the reasons already outlined – but that’s not all

• The Risk Management Function should be purely second line of defence– if properly embedded it should support, challenge, embed – not do itall

• It should maintain its independence in order to be objective

• There is no hard and fast rule as to how this is done – it will depend onthe organisation and it may need to change/adapt over time

• However, the days of Risk Management as a siloed, discreet bunch of“bolt on” people are gone – Risk Management is a “virtual team” –being the whole organisation

Thoughts?

Summary and Conclusion

• The responsibilities of the Risk Management Function under Solvency II are clear andunchanged

• They are nothing really new, merely a clearer mandate to embed ERM

• The Three Lines of Defence model as traditionally defined implies demarcation between thethree lines

• This has limited appropriateness in a Solvency II world – the three lines of defence model isless discrete, more continuous and less “clear cut” – Risk Management should recognise thiswhen engaging with the business

• The Risk Management Function in the second linee is in a unique position to support,challenge, embed and is well placed to do so

• The impetus should remain notwithstanding the delays to the timetable

And finally….

Thank you for listeningAny questions?

DDI +44 (0) 20 7780 5882Susan.young@rqih.com

www.rqih.com