Insurers need to comply with multiple regulations like Solvency II by implementing effective Enterprise Risk Management frameworks. But what is Enterprise Risk Management?
Enterprise Risk Management is a risk management approach meant to encompass all risks and opportunities across the entire enterprise — including the governance, risk and compliance (GRC) aspects. One of the Enterprise Risk Management best practices is to embed the process into strategic planning. Enterprise Risk Management should support the core strategy for growing the business. The key to the success of today’s industries, especially insurance companies, is a fit-for-purpose Enterprise Risk Management framework that meets the overall risk management, compliance and decision support requirements of the organization.
Solvency II ia a European Union Directive (2009/138/EC) that codifies and harmonizes European Union (EU) insurance regulations. Solvency II mandates EU-wide capital requirements and risk management standards, which require insurers to create and harmonize a risk-based approach to solvency and capital management.
An Enterprise Risk Management framework supports all relevant aspects of an organization to meet various compliance requirements. It nurtures a risk management philosophy and a culture that promotes compliance with the corporate risk appetite, allowing managers to manage risks within their spheres of responsibility, consistent with established risk tolerances. The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and then efficiently and effectively deploys resources in pursuit of the entity’s objectives.
Enterprise risk management encompasses the following:
- Aligning risk appetite and strategy – Align the risk appetite of the organization with the overall strategy of the organization.
- Enhancing risk response decisions – Enterprise risk management provides the ways to identify and select the most appropriate risk responses – risk avoidance, reduction, sharing, and acceptance.
- Reducing operational surprises and losses – Enterprise Risk Management framework will help to identify potential risks and thereby reduce the losses.
- Identifying and managing multiple and cross-enterprise risks – Enterprise Risk Management framework will help to identify risks pertaining to business units spread across the organization.
- Seizing opportunities – Risks which can be turned as opportunities, can be exploited for overall benefit of the organization.
- Improving deployment of capital – Availability of capital can be calculated effectively as per capital adequacy requirements which lead to efficient deployment of capital across the organization.
Enterprise Risk Management can offer the following benefits:
- Imbue risk culture in the people and embed risk management best practices across the organization
- Create value through effective decision making
- Reduced customer risks and improve business resilience
- Reduce the cost of complying with multiple compliances separately
- Orchestrate existing systems, processes and people to achieve efficiency, and to maximize the utility of existing IT infrastructure
- Achieve auditability, governance and traceability
- Use risk management for competitive advantage
- Develop an efficient framework for managing and controlling information
Enterprise Risk Management can be used for achieving organizational objectives as below:
- Strategic – Mapped to high level strategic objectives
- Operations – optimal utilization of IT resources to maximize value
- Reporting – reliability and ease of centralized reporting requirements as mandated by all compliance requirements like Solvency II
- Compliance – Compliance to applicable laws and regulations – unified compliance framework
The above figure illustrates the evolution of Enterprise Risk Management over time. Organisations used to focus on a unified compliance framework for complying with auditability and reporting requirements. However over time it has become accepted that it is worthwhile to have an Integrated Risk Management system in place to manage the overall risks of the organization. The cost of complying with regulatory requirements and establishing and maintaining a risk management framework has been escalating due to the complex requirements of regulatory requirements, like Solvency II. Hence, to get the most out of the investment and to manage risks for business benefits, mature and successful organizations have started implementing a governance framework for business resilience and, creating value through strategic planning and decision making.
Step 1 (Define) - The initial step towards meeting compliance requirements is to identify the gap. Hence it is worthwhile to conduct a gap analysis for Solvency II . The gap analysis will help to identify the non-compliances. The requirements as well as the gaps are documented to ensure compliance to Solvency II requirements.
Step 2 (Design) - The next step is to implement the risk management framework as part of Enterprise Risk Management framework to ensure that the risks related to non-compliance to regulatory requirements are identified, analyzed, documented and addressed. Risks are quantified and managed effective. The risk response can be any of the following:
- Mitigate the risk
- Accept the risk
- Share the risk
- Transfer the risk
Step 3 (Develop) -The reporting and governance requirements of Solvency II are identified and implemented as part of the overall Enterprise Risk Management Framework. The most effective means to comply with multiple compliance requirements is to implement an effective Enterprise Risk Management framework along with the Governance, Risk and Compliance (GRC) solution. GRC solutions offer overall control of transparency, auditability and reporting. GRC is the umbrella term covering the aspects of the following:
Governance - overall management approach through which senior management direct and control the entire organization, using a combination of management information and control structures. Governance ensures that the information is complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out effectively.
Risk Management - set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks that might adversely affect realization of the organization's business objectives.
Compliance – conforming to the stated requirements. Compliance requirements like Solvency II for insurers are identified to ensure they are met with.
Step 4(Develop) – An internal control framework is the key to the effective implementation of an Enterprise Risk Management framework. Internal controls are designed in accordance to the compliance requirements of Basel II and Solvency II. The idea is to ensure there is adequate mapping between regulatory requirements, corresponding risks and respective internal controls to implement or comply with the compliance requirements.
Step 5 (Deploy) - The final step is to perform regular testing of the internal controls for their effectiveness. The test will be a part of the umbrella Enterprise Risk Management framework and meet the auditability and reporting requirements of Solvency II.
“The most important aspect of implementing Solvency II is the time-driven reporting window and availability of real-time data for reporting, because this is where the pain is hidden. This can be achieved by implementing an effective Enterprise Risk Management framework” Says Emmanuel Noblet, SecondFloor.
Stress testing is an important aspect of Solvency II compliance. It includes providing pre-defined financial shocks/perform risk simulations to the banks and insurers due to financial and economic stress for testing liquidity and capital adequacy of the organizations. Solvency Capital Requirements and Minimum Capital Requirements (Solvency II) are calculated and reported by the Enterprise Risk Management solution. However availability of the effective Enterprise Risk Management framework will ensure that such tests and calculated results are regular practice and does not require additional cost. Moreover indication of non-compliance can help the senior management to take appropriate decisions.
“Effectiveness of Enterprise Risk Management framework is measured by how much the risk culture is embedded in the business workflow and day-to-day activities and still complying with various regulatory requirements like Solvency II” says Emmanuel Noblet, SecondFloor.
In conclusion, the availability of Enterprise Risk Management framework makes it easier for embedding the compliance requirements in the business workflow. The compliance is regularly monitored, the risk culture is imbued in the organizations, and the decision making becomes easier, leading to significant strategic advantage to the organization. Repeatability, accountability and traceability requirements are managed along with governance and reporting requirements for various compliance requirements like Solvency II. The centralized governance and reporting ensures centralized management of risks and regulatory compliance requirements to meet overall organizational goals.
Hence effective Enterprise Risk Management frameworks not only help to comply with regulatory requirements, but it can be used for business resilience and strategic advantages to create value to the organization for strategic planning and effective decision making to meet organizational goals.