A revision of the Corporate Governance Code of Practice for Regulated Insurance Entities analysed by KPMG’s Risk Advisory team.
The management of a wide risks accumulated from other parties for monetary gain is the raison d’etre of insurance companies, so their proficiency at it is of major interest to shareholders and policyholders alike. A keenly-awaited revision to the regulatory requirements of local insurance entities in respect of the Corporate Governance Code of Practice for Regulated Insurance Entities (or ‘CGC’) was released for consultation last month, which KPMG’s Risk Advisory team analyses.
The end of August saw the FSA release its consultation paper covering proposed changes to the Island’s Corporate Governance Code for insurers. As I had signposted in an article last year, a consultation paper covering matters relating to Enterprise-wide Risk Management (ERM) and Corporate Governance was originally forecast for publication in late 2016, though a number of competing issues, perhaps most materially being consultations on Conduct of Business and complementary amendments to the 2008 Insurance Act, justified a postponement. The FSA is practicing what it preaches in this respect by establishing its own ERM Framework and governance changes as part of the IPA/FSC integration activity, so the industry is in good company at this point!
Regardless of the lens through which corporate governance and risk management matters are viewed by shareholders, licence holders and their staff, the world of international insurance supervision have never been
more demanding or insistent on the matter. The Financial Stability Board, the International Association of Insurance Supervisors, the European Insurance and Occupational Pensions Authority and the Financial Reporting Council have all instigated material change in the risk and governance expectations of insurers since the existing CGC was enacted in 2010.
So it is in [licenceholders'] best interest to have it well-regulated
- not over-regulated but well-regulated
FSA CEO to Economic Policy Committee, January 2017
In its previous guise as the Insurance and Pensions Authority (IPA), the FSA was conscious of signpostedchanges in the approach of our EU neighbours when consulting on the original CGC in 2009, with a mind to a potential Solvency II equivalence assessment in future. That said, Solvency II had not progressed from the base Directive into the raft of delegated regulations and “comply or explain” supervisory guidelines which now sets something of an international benchmark on the topic.
Given the local insurance industry was cited by the FSA CEO as the demand for Solvency II equivalence earlier this year, the themes and indeed wording of the proposed ERM-inspired enhancements to the CGC should be of little surprise to Manx insurance entities, particularly given the early sight of much of them in a 2014 Discussion Paper.
Cosmetically, the CGC is a slightly different beast after some reordering, and a change of emphasis from things which previously “shall” be done to things which “must” be done (the distinction on which our own Attorney General’s drafting guidelines say “the debate rages”!). Outside of this and some tactical amendments (including a Moneyval-inspired re-emphasis on AML/CTF governance and the removal of insurance managers from its scope), material changes in the proposed CGC include:
- ERM system, including risk appetite framework
The FSA has usefully taken a step towards defining a number of notoriously difficult terms when detailing what inputs, processes and outputs are expected from an insurer’s ERM system. Risk Appetite, Tolerance, Capacity and Limits are all firmly defined in the context of expected strategic and operational usage, and insurers will do well to incorporate these into their operating models at their earliest convenience.
Expectations of enterprise-wide management of risk, capital and liquidity beyond a conventional 12 month window run through the revised CGC, aided by the incorporation of expanded guidance relating to Investment, ALM and Derivative risk management which is expected to feature in an insurer’s relevant policies.
Talking of policies, the CGC now talks of an insurer’s Risk Management Policy needing to cover its business planning period, being “no less than 3 years without the Authority’s approval”. New additions or upgrades in insurers’ policy suites will also be required for ORSA, Capital Retention and Remuneration, all of which will absorb resource and time at the senior end of insurance entities. It is likely therefore that some focused policy drafting and amendment will feature on the 2018 work plans of Manx insurance entities.
- Own Risk and Solvency Assessment (ORSA)
I will look at the introduction of ORSA in a separate piece, but highlight here that the proposal does facilitate the FSA’s use of an insurer’s ORSA result, quantified as Economic Capital Needs, to set an insurer’s regulatory capital (unlike Solvency II, which definitively rules it out), as well as a forthcoming consultation on how ORSAs should be reported to the FSA, as distinctions from the approach of our EU neighbours.
- Actuarial, Risk and Internal Audit Functions
Actuarial service provision, through an Appointed Actuary, is already catered for in the current CGC. However, the responsibilities of an independent Actuarial function are massively expanded, virtually mirroring the Solvency II approach. This perhaps lists, rather than markedly changes, existing operational responsibilities, but may necessitate some bespoke governance to separate functional operations from oversight.
The creation of a formal Risk Management function would be a new obligation however, with the tasks allocated to it often catered for by a broader risk, compliance and internal audit body of staff. The disproportionate expense entailed in staffing and resourcing such a function was often referred to by EU insurers when preparing for Solvency II, so establishing the most efficient way to establish a function as proposed, and subsequently drive value from it, will be of particular importance to the Island’s insurers over the next year.
Interestingly, Internal Audit, previously a function which Boards were permitted to perform themselves, has now been definitively removed. This not only reflects the growing recognition of Internal Audit as a
profession, but also the significance with which Moneyval attributed to independent controls testing in the conclusions of their report last year.
- Direction of culture, ethics and conduct
The increased emphasis includes ensuring remuneration policies do not reward excessive risk taking, more detailed fitness and probity expectations, and improved detail in record-keeping at Board level. Also, the
responsibilities of the Board, as opposed to management in general, are materially expanded, including the oversight of the embedding of corporate culture, the risk management system, the separation of control functions from management and the responsibilities of all participants in the external audit process.
Perhaps the most delicate discussions to follow will be in the area of proportionality, a concept often used in European legislative circles which insurers sometimes misinterpreted as ‘optionality’, a misconception
with European supervisors have spent considerable effort in correcting over the last two years! The FSA have gone to the effort of clarifying this in the consultation paper, namely that implementation of the proposed CGC requirements is to be in a manner appropriate to the nature scale and complexity of risks, as opposed to neglecting to comply with elements one deems irrelevant.
The consultation is scheduled to close on 17th November, with the resulting CGC expected to go live from January 2019. KPMG is well placed to advise insurers on areas for upskilling and alternative approaches to future state compliance, and welcome any queries on the subject.