28 Sep 2012, Alexander Campbell, Tony Boobier, Peyman Mestchian, Réjean Besner, Operational Risk & Regulation
Réjean Besner, Head of Solvency II Implementation, Swiss Re
Tony Boobier, EMEA Business Analytics Leader for Insurance, IBM
Peyman Mestchian, Managing Partner, Chartis Research
What is the biggest single challenge insurers are going to face as a result of the introduction of the Solvency II rules?
Peyman Mestchian, Chartis Research: We survey many insurance companies and talk to many chief risk officers (CROs) and Solvency II project leaders, and the one area that is consistently cited as an obstacle to success is data – data quality, data integrity, overall accuracy and consistency. This is particularly important since data is foundational to the fair valuation of assets and projections and, ultimately, the internal models for Solvency II rely on this information.
Tony Boobier, IBM: I’m actually going to pick two. The first is the challenge of retaining interest and momentum in the Solvency II agenda. It feels like Solvency II has been in the headlines for maybe four or five years. People are beginning to feel a little battle weary with Solvency II. So, the challenge of keeping the interest and momentum going is quite critical. Second, maybe the broader cultural issue of extending Solvency II beyond compliance and not just looking at capital optimisation issues but also the wider impact of Solvency II in the organisation – how it will affect strategy, product design and marketing. So there are two points, retaining interest and momentum and broadening the Solvency II agenda across the wider business.
Réjean Besner, Swiss Re: If you look at all the business processes that are being put in place by companies to do the reporting and the various valuations that are required under Solvency II, a lot of that work is going to have to be done at a time of the year when resources are busy with other types of reporting, be it generally accepted accounting principles (GAAP) or statutory. All of that is adding a load on existing resources and will definitely create a lot more operational risk once Solvency II is implemented.
A lot of the debate around Solvency II has focused on seeing it as a kind of insurance equivalent of the Basel II capital rules that were recently brought into the banking industry. How much do you think the insurance industry can learn from watching what has happened to the banking sector and watching how it dealt with the similar challenges that Basel II imposed?
Mestchian: We definitely see some similarities between Solvency II and Basel II, but there are also some important differences. If we look at Basel II and Solvency II as a proxy for enterprise risk management (ERM), then there are some standard transformation and change management challenges that organisations face. They are around people, culture, sponsorship and leadership from the top. We saw where there was insufficient leadership with Basel II initiatives, then there were problems around implementation and adoption. Also, they are both very data-intensive.
However, there are some methodological differences in Solvency II that should not be underestimated. I actually think Solvency II is more challenging, from a modelling perspective. Basel II was about market risk, credit risk and operational risk but, for Solvency II, we are also dealing with actuarial or insurance risk. Insurance risk includes a broader subset of risks such as reserving, premiums of insurance, extreme events and product design. These differences are nontrivial and we have seen some vendors providing calculation engines that were appropriate for Basel II, but not so appropriate for Solvency II, particularly for the asset and liability modelling.
The final point is that Solvency II regulations are still moving. The goalposts are still being moved and there is still a lot of uncertainty around the detail and the deadlines. That was also the case to some extent with Basel II and we saw some banks leaving it too late. They were waiting for the regulations to be defined to the nth degree before they started investing. They really ran out of time very quickly. Insurance companies need to consider the fundamental building blocks that are required for ERM and put those in place as soon as possible. For example, for operational risk, regardless of the final regulatory details, every firm should have the core building blocks of an operational risk system in place such as a risk and control self-assessment, loss data collection and key risk indicators. In relation to these requirements, there is no advantage in waiting for the final set of rules.
Boobier: We looked at the Basel II pattern when we were developing a Solvency II solution and there are comparisons, not just in terms of the technology, the architecture and the data issues, but also the challenges of implementation. If anything, it taught us to be a little patient. We felt from the outset there was a potential for the timings to slip but we recognised that, if organisations wait until the last minute to start their implementation, then there will almost inevitably be a capacity issue across the entire industry. The danger is also that insurers are often looking at this as a compliance issue, but there is a very tangible business benefit in adopting some of the ideas that form part of the Solvency II approach in terms of organisational change, data management, and so on. It’s quite interesting that not too many insurers are looking beyond compliance, which I think is a little short sighted.
Réjean would you agree with that description of how Solvency II is being treated?
Besner: I see both in the industry. I see companies that are trying primarily to achieve compliance. I see other companies that are taking this as an opportunity to significantly upgrade their capabilities, particularly in terms of risk management. The challenge is that, at the end of the day, the requirements of Solvency II are fairly prescriptive. It is meant to be principles-based, but the specific requirements are very detailed. So, as much as a company might want to use this as a way to improve how they do business, the compliance aspect remains pretty critical because of the specific requirements.
Everyone is operating with fairly tight budgets and it’s going to be a lot easier to make the case for Solvency II-related spending if you can point to a concrete compliance requirement. How do you make the case for that kind of spending if not by pointing to the need to comply?
Besner: In a way, it’s not that important why companies are doing it. The important thing is giving them the opportunity to change the way they do business. I doubt that a lot of companies would have been willing to make that kind of investment upfront if it wasn’t because of a compliance requirement, but often they are taking the opportunities to improve the way they manage the business. There will changes, caused by the introduction of Solvency II. There will most likely be consolidation in the industry but, in the end, it will be a stronger industry.
Mestchian: Beyond the business benefits of better decision-making, risk and finance integration, and risk-based performance management, there is a reputational benefit as well. Trust and confidence in financial institutions is at an all time low and, if you can show that you’ve got advanced approaches to corporate governance and are meeting advanced requirements from the regulators, it’s almost like a stamp of trust. It shows there are rigorous and robust risk management processes and systems in place and sends the right signals to the outside world.
What are the most likely mistakes insurance companies will make that will tie them to an inflexible setup? What is it important to avoid doing if you want to remain flexible?
Mestchian: On the modelling side, some of them are taking a black-box approach to calculations – in some cases, taking ‘off-the-shelf’ solutions from the market, which are okay for a year or two but then lose acceptability. So you need more of an open architecture, a toolkit approach, which provides long-term flexibility. We have seen an underestimation of the data challenge. In a typical Solvency II system implementation project, between 60% and 70% of the time and effort is in getting the data ready. Also, we have seen too much time spent on Pillar I calculations and not enough on Pillar II, which is all about embedding risk management, stress testing and the overall governance structure. Sometimes the mathematics of the Pillar I attracts certain people within insurance companies and they lose sight of the governance processes and strategic aspects of ERM.
Besner: The way companies are implementing Solvency II is very important. If we are adding another layer of systems and processes on top of what they already have in place, then that hardly supports the ability to be flexible and nimble in the market and that is what some companies are unfortunately doing. You can end up in situations where you are getting information out of your capital model that may be difficult to reconcile with what you are seeing under another view, maybe a GAAP view. You will have to try to reconcile that, as opposed to going ahead and make the right business decisions on the spot.
Boobier: It depends on the ambition of the insurance company. Some insurers simply want to cross the compliance line and then, if they can reuse some of those abilities a little later on, that is fine. The real challenge is that Solvency II is a transformational opportunity for the insurance industry, but do many insurers actually see that? For those organisations that choose the tactical route, purely compliance, it’s almost inevitable that they will find the tactical decisions they have made won’t allow them to scale across the entire enterprise, and they will have to think in terms of retooling or choosing new capabilities.
Besner: That’s where the early movers have a strategic advantage. They will be ready, they will understand the framework. It will be properly embedded and they will see other people reacting differently in the market – moving more slowly and finding themselves in more difficult positions later on – which will allow them to take advantage of that.
Of the operational risk management requirements included in Solvency II, where do you think insurers will have the most ground to make up?
Mestchian: From a methodological perspective, the loss-distribution approach seems to have the most adoption, which obviously requires the collection of loss data, and then creating some level of adjustment by assessing the control environment to facilitate the overall risk capital calculation. The loss-distribution approach is used to address a compliance requirement for advanced management and unexpected loss but, by putting the right processes in place for control assessments, data collection and reporting, and by using scenario analysis and key risk indicators to provide additional data, it’s the net improvement in expected loss and having best practices around operational risk that often gives the business case for investing in new processes and systems. So it is important to make the distinction between expected loss and unexpected loss, and to understand why systems and technology investments are being made from an overall ERM perspective.
Do you think it is a distinction that will be generally understood in the industry?
Mestchian: I think so. I’m seeing more business cases justifying the cost of investment in risk technology based on the reduction of expected loss and then, having collected this data, firms can then model and predict unexpected loss by combining internal data and external data to come up with a capital number. Also we see an ongoing balancing act for firms between shot-term compliance-driven tactical investments, for example purchasing risk modelling or reporting tools, versus long-term strategic ERM investments, such as integrated risk management platforms that break down the various organisational silos.
Besner: Yes, behind that is the dilemma between compliance and sound business practices. Clearly, companies obtain an advantage from understanding the distribution they have around expected loss for operational risk and managing that effectively to reduce those expected losses, whereas Solvency II pushes you more towards the unexpected losses in terms of determining capital requirement. So you have to provide for that in terms of the compliance point of view, whereas the real value is around managing and reducing the risk.
Boobier: I believe the whole Pillar II issue and the emphasis on operational risk will put more focus back on the business and how it manages its affairs. We spoke a little about reputational risk earlier and, of course, failure in that area has a capital impact. But one of the big challenges is that solvency and compliance in risk still seem to sit very much in the office of finance or, in the larger organisations, with the CRO or various other risk-oriented analysts. But Solvency II will extend to multiple parts of the business and, of course, that applies to the operational risk issue as well. How many marketers or product developers have an inkling of what Solvency II will mean for them? It seems to me the industry, in its broadest sense, has to embark on quite a wide educational journey and make other parts of the business outside the office of finance recognise the impact and the importance of Solvency II.
Réjean, which areas of operational risk management do you think the industry will need to do the most catching up on?
Besner: That really depends which hat I’m wearing. If I’m looking at it from the business management point of view, I want to have the framework in place where I can control my operational risk and that obviously needs data to support it. But, if I think of compliance, then the challenge is really how you determine the capital requirement for operational risk. That’s a science that is really evolving. So there are a number of approaches one can take and none of them are really proven yet, which is a challenge for companies.
What about cultural issues? What are the most important cultural differences going to be between the insurance industry now and the industry post-Solvency II?
Boobier: The insurance community and the technology sector often use different language to talk about the same thing. It is this lack of understanding of each other’s language that creates a lot of the challenges and barriers. When we look at a Solvency II issue, we think in terms of Solvency II jargon, which many insurance professionals don’t actually understand and don’t recognise as relevant. One of the interesting cultural issues will be that we need to start using a language in this compliance/confirmation environment that is understandable by all. While we use specialist language that only a few people can really understand, then the whole topic of solvency remains in the hands of specialists, and it is far too important for that.
Besner: The important change is really establishing the connection between risk-taking and business performance. This is not a culture that has been broadly in place in the industry and Solvency II is pushing that very strongly. We have been managing the business on economic principles for many years and that has brought about a significant change in the culture of the company.
Mestchian: I would tend to agree with Réjean. We are definitely seeing more and more projects where there is a convergence between the risk discipline and the finance discipline and moving towards risk-adjusted performance management. That is a nontrivial change. I have been in meetings where we’ve got finance, risk and business people using the same words but each of them meaning different things and, because it is not consistent, there is no standardisation of definitions across the industry or even within the organisations themselves.
But one term that is overused is the term ‘integration’ – for example, the integration of risk and finance and the integration of systems. From a cultural perspective, I think ‘alignment’ is a better word than ‘integration’. We need better alignment between the business lines, the front office, the back office and the risk and finance functions, and part of that is using consistent metrics and sharing information and communicating risk in a consistent way throughout the organisation.
Besner: I would agree. We talk about finance and risk but it is critical to bring the business on board and that will only happen if there is very strong support at the highest level. It is critical for success – you cannot implement a new vision of the business if the business itself is not in line with it.
Boobier: Many boards became quite upset at the cost of compliance, particularly around data management. There was a fair degree of underestimation of what needed to be done and the time required, and that started putting a lot of pressure on budgets. So, on the one hand, we are trying to encourage the C level to look beyond compliance and think about the return on investment but, on the other hand, these executives have already had their fingers slightly burnt around cost and will perhaps start making cost-cutting decisions.
What do you think will be the largest single benefit of Solvency II for the insurance industry?
Mestchian: Insurance companies can take the opportunity to create an ERM system with a consistent data platform, and good-quality risk and finance information to support better decision-making and improve performance. Clearly, there is a trade-off between short-term tactical compliance decisions, which are dependent on specific regulations, and the long-term strategic view, but it is the companies that have the long-term strategic view that ultimately win.
Boobier: The topic of today’s discussion is around solvency and compliance, but we need to raise our eyes and think of a world beyond compliance and how the industry will look in that post-Solvency II age. Everything we are doing will lead to insurers becoming more informed and better managers of risk, but they will be much more agile than they ever were before and the ability to make informed decisions will create a competitive advantage.
Besner: It is the connection between risk-taking and business decisions. The industry has the opportunity to be in a much stronger place to understand the impact of the business decisions on their risk profile and their capital requirements. What we have are very blunt tools to make that connection until Solvency II is implemented. Solvency II is a huge step forward in that respect and can only result in a more sound industry.
Click here to view the article in PDF format.
Click here to listen to the full discussion online.