Risk management system
- Solvency II Law: Article 42, § 1, 3° (internal reporting on risks) and 11° (identifying a deterioration in the financial circumstances), Article 56 (the risk management function), Articles 84 to 90 (risk management system) and Article 91 (ORSA)
- Delegated Regulation 2015/35: Articles 259, 260 and 261 to 265
- NBB Circular: Circular NBB_2019_30 regarding the guidelines for the own risk and solvency assessment (ORSA)
- EIOPA Guidelines: Guidelines 17 to 26
The Solvency II Law and Delegated Regulation 2015/35 require the insurance company to develop an effective risk management system.
In accordance with Delegated Regulation, a risk management system shall include the following:
- a clearly defined risk management strategy which is consistent with the undertaking’s overall business strategy. The objectives and key principles of the strategy, the approved risk tolerance limits and the assignment of responsibilities across all activities of the undertaking shall be documented;
- a clearly defined procedure on the decision-making process;
- written policies which effectively ensure the definition and categorisation by type of the material risks to which the undertaking is exposed, and the approved risk tolerance limits for each type of risk. Such policies shall implement the undertaking’s risk strategy, facilitate control mechanisms and take into account the nature, scope and time periods of the business and the associated risks;
- reporting procedures and processes which ensure that the material risks faced by the undertaking and the effectiveness of the risk management system are actively monitored and analysed and that appropriate modifications are made to the system where necessary.
The aim of this system is to identify, assess, control and monitor the risks to which the insurance companies are or could be exposed.
Insurance companies must also introduce systems to identify a deterioration in financial circumstances and to immediately inform the Bank where such a deterioration occurs.
3.2. The role of the board of directors, management committee and the risk management function
3.2.1. Specific role of the board of directors in the risk management system
The board of directors of the insurance company has the final responsibility for the effectiveness of the risk management system, for establishing the risk appetite and general risk tolerance limits of the company and for approving the main strategies and policies for risk management.
3.2.2. Role of the management committee
The management committee is responsible for the implementation of the risk management system. In accordance with the Delegated Regulation, the management committee and the persons responsible for control functions must take into account the information reported as part of the risk management system in their decision-making process.
3.2.3. Role of the risk management function
Please refer to point 5.2. below.
3.3. General rules for the risk management system
3.3.1. Areas covered by the risk management system
The Solvency II Law stipulates that the risk management system has to cover the risks that must be taken into consideration when calculating the solvency capital requirement as well as the risks that are not — or not fully — taken into account in this calculation, and cover at least the following areas:
1° entering into underwriting obligations and forming reserves;
2° asset-liability management (ALM);
3° investment, in particular in derivatives and similar commitments;
4° liquidity and concentration risk management;
5° operational risk management;
6° reinsurance and other risk-mitigation techniques.
These different areas are covered in the documented policies on risk management.
3.3.2. Liquidity plan
Where the insurance companies apply the matching adjustment referred to in Article 129 of the Solvency II Law or the volatility adjustment referred to in Article 131 of the Solvency II Law, they shall draw up a liquidity plan with an estimate of the incoming and outgoing cash flows relating to the assets and liabilities on which these adjustments are applied.
3.3.3. Asset-liability management
As regards asset-liability management, insurance or reinsurance companies shall make a regular assessment of:
1° the sensitivity of their technical provisions and their eligible own funds for the assumptions at the basis of the extrapolation of the relevant risk-free interest rate term structure as referred to in Article 126, § 2 of the Solvency II Law;
2° in the event of application of the matching adjustment specified in Article 129 of the Solvency II Law:
- the sensitivity of their technical provisions and their eligible own funds for the assumptions at the basis of the calculation of the matching adjustment, including the calculation of the fundamental spread as referred to in Article 130, § 1, 2°, and the potential effect of a forced sale of assets on their eligible own funds;
- the sensitivity of their technical provisions and eligible own funds to changes in the composition of the assigned portfolio of assets;
- the impact of a reduction of the matching adjustment to zero;
3° in case of application of the volatility adjustment specified in Article 131 of the Solvency II Law:
- the sensitivity of their technical provisions and their eligible own funds for the assumptions at the basis of the calculation of the volatility adjustment, and the potential effect of a forced sale of assets on their eligible own funds;
- the impact of a reduction of the volatility adjustment to zero;
The insurance companies shall provide these aforementioned assessments to the Bank on an annual basis. Where the reduction of the matching adjustment or the volatility adjustment to zero would result in non-compliance with the solvency capital requirement, the company also submits an analysis of the measures it could apply in such a situation to re-establish the level of eligible own funds to cover the solvency capital requirement or to reduce its risk profile to restore compliance with the solvency capital requirement.
Where the volatility adjustment referred to in Article 131 of the Solvency II Law is applied, the written policy on risk management shall comprise a policy on the criteria for the application of the volatility adjustment.
3.3.4. Investment risk
As regards investment risk, insurance companies shall show that they comply with the provisions of Articles 190 to 198 of the Solvency II Law regarding (i) the ‘prudent person’ principle, (ii) keeping a running inventory and (iii) localisation of assets.
3.3.5. External credit assessment
In order to avoid overreliance on external credit assessment institutions, when they use external credit rating assessments for calculating the technical provisions and the solvency capital requirement, insurance companies shall assess the appropriateness of those external credit assessments as part of their risk management by using additional assessments wherever practicably possible in order to avoid any automatic dependence on these external assessments.
In addition to the requirements established for the calculation of technical provisions and the solvency capital requirement, Delegated Regulation 2015/35 moreover determines that the internal risk management methods may not rely solely or automatically on external credit assessments. Where the calculation of technical provisions or of the solvency capital requirement relies on external credit assessments by an ECAI or on the fact that an exposure has no rating, this does not absolve the insurance companies from the obligation to take into consideration other relevant information too.
3.3.6. Stress tests
Delegated Regulation 2015/35 stipulates that where appropriate, insurance companies must integrate in their risk management system stress tests and scenario analyses as regards all relevant risks to which they are exposed.
3.4. Areas covered by the risk management system
3.4.1. Areas covered by risk management
Delegated Regulation 2015/35 stipulates that the risk management system must cover the following areas:
(a) Entering into underwriting obligations and forming reserves:
- measures to be taken by the insurance company to estimate and control the risk of loss or of adverse change in the value of insurance obligations, due to inadequate pricing and provisioning assumptions;
- the sufficiency and quality of data to be considered in the underwriting and reserving processes, as set out in Delegated Regulation 2015/35, and their consistency with the standards of sufficiency and quality;
- the adequacy of the claims management procedures, including the extent to which they cover the overall cycle of claims.
(b) Asset-liability management:
- the structural mismatch between assets and liabilities and in particular the duration mismatch of those assets and liabilities;
- any dependency between risks of different assets and liability classes;
- any dependency between risks of different insurance obligations;
- any off-balance-sheet exposures of the undertaking;
- the effect of relevant risk-mitigation techniques on asset-liability management;
(c) Investment risk management:
- action to be taken by the insurance company to ensure that the investments comply with the ‘prudent person’ principle;
- actions to be taken by the insurance company to ensure that its investment takes into account the nature of the company’s business, its approved risk tolerance limits, its solvency position and its long-term risk exposure;
- the insurance company’s own internal assessment of the credit risk of investment counterparties, including where the counterparties are central governments;
- where the insurance company uses derivatives or any other financial instrument with similar characteristics or effects, the objectives of — and the strategy underlying — their use and the way in which they facilitate efficient portfolio management or contribute to a reduction of risks, as well as procedures to assess the risk of such instruments and the principles of risk management to be applied to them;
- where appropriate in order to ensure effective risk management, internal quantitative limits on assets and exposures, including off-balance-sheet exposures.
(d) Liquidity risk management
- action to be taken by the insurance company to take into account both short- and long-term liquidity risk;
- the appropriateness of the composition of the assets in terms of their nature, maturity and liquidity in order to meet the company’s obligations as they fall due;
- a plan to deal with changes in expected cash inflows and outflows;
(e) Concentration risk management:
action to be taken by the insurance company to identify relevant sources of concentration risk to ensure that the risk concentrations remain within established limits and actions to analyse possible risk contagion between concentrated exposures;
(f) Operational risk management:
action to be taken by the insurance company to assign clear responsibilities to regularly identify, document and monitor relevant operational risk exposures;
(g) Reinsurance and other insurance risk-mitigation techniques:
- actions to be taken by the insurance company to ensure the selection of suitable reinsurance and other risk-mitigation techniques;
- action to be taken by the insurance company to assess which types of risk-mitigation techniques are appropriate according to the nature of the risks assumed and the company’s capability to manage and control the risks associated with those techniques;
- the insurance company’s own assessment of the credit risk inherent to the risk-mitigation techniques.
Delegated Regulation 2015/35 also stipulates the following:
- the expected profit included in future premiums shall be calculated as the difference between the technical provisions, with a risk margin calculated in accordance with the Solvency II Law, and a calculation of the technical provisions, without a risk margin under the assumption that the premiums relating to existing insurance and reinsurance contracts that are expected to be received in the future are not received for any reason other than the insured event having occurred, regardless of the legal or contractual rights of the policy-holder to discontinue the policy.
- the calculation of the expected profit included in future premiums shall be carried out separately for the homogenous risk groups used in the calculation of technical provisions, provided that the insurance and reinsurance obligations are also homogenous in relation to the expected profit included in the future premiums.
- Loss-making policies may only be offset against profit-making policies in a homogenous risk group.
3.4.2. Risk management in companies providing loans and/or mortgage insurance
- Insurance and reinsurance companies that provide loans shall have written policies to ensure all of the following points:
- lending is based on sound and clearly defined criteria and the process for approving, amending, renewing and refinancing loans is clearly established;
- companies have internal methods that enable them to assess the credit risk of exposures to individual borrowers and at portfolio level;
- that the ongoing administration and monitoring of loan portfolios, including for identifying and managing non-performing loans and for making adequate value adjustments, is operated through effective systems;
- the diversification of loan portfolios is adequate given the company’s target markets and overall investment strategy.
- Insurance companies that engage in mortgage insurance or reinsurance shall base their underwriting on sound and clearly defined criteria and comply with the requirements set out in point 1 a), b) and c).
3.5. General risk management policy
The board of directors of the insurance company shall set out a policy for risk management, which as a minimum:
- determines the risk categories and methods for measuring risks;
- defines how the company manages every relevant risk category and every potential aggregation of risks;
- describes the link between the assessment of the overall solvency requirements established under the ORSA supervisory report, the legal capital requirements and the risk tolerance limits of the company;
- establishes risk tolerance limits for all relevant risk categories, in line with the company’s risk appetite;
- describes the frequency and content of the regular stress tests and the situations that justify a stress test.
3.6. Risk policies
3.6.1. Policy relating to the management of the underwriting risk and reserve risk
In its risk management policy, the insurance company shall at least include the following as regards the underwriting risk and the reserve risk:
- the different types of insurance activities that the company exercises and the characteristics thereof, such as the type of insurance risk that the company is prepared to take on;
- how the adequacy of premium income to cover the expected claims and costs is guaranteed;
- identification of the risks arising from the company’s insurance obligations, including the options included and guaranteed surrender value included in its products;
- how the company takes account of investment limitations in the process of developing a new insurance product and calculating premiums.
- how the company takes account of the reinsurance or other risk-mitigation techniques in the process of developing a new insurance product and calculating premiums.
3.6.2. Policy relating to the management of the operational risk
In its risk management policy, the insurance company shall at least include the following as regards operational risk:
- identification of the operational risks to which the company is or could be exposed and the assessment of how those risks can be mitigated;
- activities and internal processes for the management of operational risk, including the IT system to support those activities and internal processes;
- risk tolerance limits for the company’s main operational risk areas.
The company shall have processes for identifying, analysing and reporting operational risks. To this end, the company shall operate a process for registering and monitoring incidents with an operational risk component.
The company shall develop and analyse a suitable number of stress scenarios for managing operational risks. These stress scenarios shall at least be based on the following approaches:
- failure of a key process or departure of key staff or failure of a key system;
- occurrence of unforeseen external events.
3.6.3. Reinsurance and other risk-mitigation techniques - risk management policy
In its risk management policy, the insurance company shall at least include the following as regards reinsurance and other risk-mitigation techniques:
- identification of the level of risk transfer that is appropriate given the risk limits established for the company and the types of reinsurance policies that are the most suitable given the risk profile of the company;
- principles for the selection of counterparties concerned by such risk-mitigation techniques and procedures for assessing and monitoring the financial solidity and diversification of the reinsurance counterparties;
- the procedures for assessing an effective risk transfer and the manner in which account is taken of the basis risk;
- liquidity management to remedy every timing mismatch between the payment of claims and compensation under reinsurance.
3.6.4. Strategic risk and reputational risk
The company shall manage, supervise and report on the following situations:
- actual or potential exposure to reputational and strategic risks and the mutual relationship between these risks and other material risks;
- important issues that influence its reputation in view of the expectations of interested parties and market sensitivity.
3.6.5. Policy relating to asset-liability management
In its risk management policy, the insurance company shall at least include the following as regards asset-liability management:
- a description of the procedure for establishing and assessing the various forms of mismatch between assets and liabilities, especially as regards conditions and currencies;
- a description of the risk-mitigation techniques used and the expected effect of relevant risk-mitigating techniques on asset-liability management;
- a description of the mismatches permitted by the company;
- a description of the method that forms the basis of the stress and scenario tests and the frequency with which these tests must be carried out.
3.6.6. Policy relating to investment risk management
In its risk management policy, the insurance company shall at least include the following as regards investment risks:
- the level of security, quality, liquidity, return and availability the company is aiming for, for the asset portfolio as a whole, and the way in which the company intends to achieve this;
- its quantitative limits with respect to assets and exposures, including exposures not included in the balance sheet, which must be established to help the company be sure of reaching the desired level of security, quality, liquidity, return and availability for the portfolio;
- the level of availability that the company is aiming for, for the asset portfolio as a whole, and how the company intends to achieve this;
- accounting for the situation on the financial markets;
- the terms under which the company can provide assets as security and lend out assets;
- the relationship between the market risk and other risks in unfavourable scenarios;
- procedure for adequate marking to market and verification of investment assets;
- procedures for monitoring returns on investment and, insofar as necessary, reviews of this policy;
- how it is ensured that the assets are selected in the interest of policy-holders and beneficiaries.
3.6.7. Policy relating to the management of the liquidity risk
In its risk management policy, the insurance company shall at least include the following as regards liquidity risks:
- the procedure for establishing the level of mismatch between incoming and outgoing cash flows as regards both assets and liabilities, including the expected cash flows by virtue of direct insurance and reinsurance policies, such as claims, early exit or surrender;
- how total liquidity needs are taken into account for the short- and medium term, including an appropriate liquidity buffer to cover liquidity shortages;
- how the level of monitoring of liquid assets is taken into account, including quantification of the potential costs and financial losses arising from forced sales;
- the establishment of alternative financing instruments and the costs thereof;
- how the effect on the liquidity position of expected new activity is taken into account.
3.7. Own Risk and Solvency Assessment
The Solvency II Law (Article 91) stipulates that each insurance company shall assess its own risk and solvency by way of an Own Risk and Solvency Assessment or ORSA as part of its risk management system.
This assessment shall at least contain:
- overall solvency needs, taking into account the company’s specific risk profile, overall risk tolerance limits and business strategy, approved by the board of directors and management committee;
- compliance on a continuous basis with the capital requirements laid down in Section II of Chapter VI of the Solvency II Law and the requirements on technical provisions laid down in Section I, Sub-section II of Chapter VI;
- the extent to which the risk profile of the company concerned deviates from the assumptions underlying the solvency capital requirement as laid down in Article 151 of the Solvency II Law, calculated using the standard formula in accordance with Articles 153 to 166 or an internal model or partial internal model in accordance with Articles 167 to 188 of the aforementioned Law.
A procedure should be devised to further determine the practical methods for drawing up the ORSA supervisory. The Bank’s expectations regarding ORSA are described in Circular NBB_2019_30 on the Own Risk and Solvency Assessment.