Governance Regulatory Compliance for Insurers

Solvency II imposes numerous governance requirements on insurers. In this episode of “The Standard Formula” podcast, Skadden partner Sebastian Barling and Rob Chaplin, host and head of Skadden’s Europe Financial Institutions Group, guide insurers through these complex requirements.

They spotlight the Own Risk and Solvency Assessment, or ORSA, a cornerstone component of Solvency II that insurers must use to assess their risks and solvency needs. Sebastian and Rob also detail the Senior Managers and Certification Regime, or SMCR, which applies to insurers in the United Kingdom. The SMCR complements and enhances the governance requirements under Solvency II. They close with an overview of operational resilience and outsourcing requirements.

Key Points 

• The Own Risk and Solvency Assessment, or ORSA: A cornerstone component of Solvency II is ORSA, an internal process that insurers must use to assess their own risks and solvency needs. This process must be supported by robust governance structures with clear roles and responsibilities for senior management and the board. In the U.K., the Prudential Regulation Authority, or PRA, outlines expectations of the ORSA process.
• Four Key Governance Functions: There are key governance functions critical for effective risk management within insurers: risk management, compliance, internal audit and actuarial.
• Ensuring Accountability: Senior managers, including chief compliance officers, chief risk officers, chief internal auditors and chief actuaries, are prescribed responsibility for the governance functions. They are subject to five conduct rules, outlined in detail in this episode, that make them personally responsible for some areas.
• What Solvency II Says about Outsourcing: Global financial groups who operate in multiple jurisdictions and have dependencies outside their home state often outsource functions such as claims administration, claims management and investment management. Solvency II requires that any outsourcing arrangements do not undermine the quality of an insurer's governance system.

Voiceover (00:01):
From Skadden, The Standard Formula is a Solvency II podcast for UK and European insurance professionals. Join us as Skadden partner Robert Chaplin leads conversations with industry practitioners and explores Solvency II developments that matter to you.

Robert Chaplin (00:19):
Welcome back to The Standard Formula podcast. I’m Rob Chaplin. I’m delighted to be joined today by my partner Seb Barling, who’s recently joined us in our financial institution’s regulatory group in London. In this episode of our Solvency II Back to Basics series, we’re exploring governance requirements for insurers under the Solvency II framework.

(00:42):
As we go through the requirements, we’ll be delving into the key components under Solvency II and the necessary functions which ensure robust risk management for insurers. Further, we’ll cover certain UK-specific governance requirements, the UK’s Senior Managers and Certification Regime, or SMCR, operational resilience requirements, and outsourcing requirements. Seb, would you like to get us started?

Sebastian Barling (01:10):
Certainly, Rob. First, it’s useful to give a brief reminder of the overall Solvency II framework as it sets the context for this discussion. Those who have been following our series will be familiar with the framework, but just to recap, Solvency II is built on three pillars.

(01:24):
Pillar one covers quantitative requirements, including the calculation of technical provision, the solvency capital ratio or SCR, and the minimum capital requirements or MCR. Pillar two covers governance and risk management, which is our main focus today. Pillar two requires insurers to conduct an own risk and solvency assessment, an ORSA, and mandate certain internal governance systems. And then there’s pillar three, this sets out disclosure and transparency requirements. This requires insurers to provide regular reports to regulators and the public.

(01:53):
In addition, insurers based in the UK will be subject to the SMCR. Whilst the two regimes are separate, and note that many EU regulators have not implemented a similar regime to the SMCR yet, the UK’s implementation of the SMCR takes into account Solvency II requirements, and in certain ways complements and enhances the governance requirements under Solvency II.

(02:13):
Rob, would you like to walk us through what insurers are required to do under the ORSA?

Robert Chaplin (02:16):
Thanks, Seb. Very happy to do so. The ORSA is a cornerstone component of Solvency II. It’s an internal process that insurers must use to assess their own risks and solvency needs. The ORSA goes beyond the regulatory capital requirements, encouraging firms to consider all material risks that could impact their business.

(02:38):
An ORSA consists of the following steps. First, identifying and assessing all material risks. This includes underwriting, market, credit, operational, liquidity, and other emerging risks. Insurers must include qualitative and quantitative analysis to understand the nature, scale, and complexity of these risks. Second, insurers need to evaluate their solvency position under normal and stressed conditions. This involves assessing the adequacy of their capital resources relative to their risk profile and ensuring they hold sufficient capital to meet both regulatory requirements and internal targets.

(03:26):
Third, integration. An ORSA must be integrated with the insurer’s business strategy, considering the impact of strategic decisions on risk and capital needs. Fourth, insurers must conduct regular stress tests and scenario analyses to understand vulnerabilities and prepare contingency plans. Fifth, governance. The ORSA process must be supported by robust governance structures with clear roles and responsibilities for senior management and the board. Comprehensive documentation is essential to demonstrate the rationale behind risk assessments, capital evaluations, and decision-making processes.

(04:09):
These steps conclude in a written ORSA report. This must be submitted to the insurer’s supervisor, providing a comprehensive overview of the firm’s risk management framework, solvency assessments, and strategic considerations. This covers the requirements under Solvency II. In the UK, the Prudential Regulation Authority, or, PRA has provided further guidance on their expectations for the ORSA process. Seb, would you like to walk us through this?

Sebastian Barling (04:40):
Of course, Rob, very happy to. The PRA emphasizes that an ORSA should be an iterative process, continually refined as new risks emerge and as the business evolves. They expect firms to establish a feedback loop where the outcomes of the ORSA influence the risk management framework, strategy, and capital planning, creating a dynamic and responsive risk management system. The PRA stresses that the ORSA should not be seen as a one-off annual exercise, but as a continuous process embedded in the day-to-day risk management and strategic planning of a firm. Further, the PRA states that an insurer’s board must take active ownership of the process behind the ORSA. This includes setting risk appetite, reviewing outcomes, and ensuring integration with the overall risk management framework.

(05:22):
In return, the PRA expects that the ORSA should produce meaningful management information to support decision-making and risk management. This helps embed a culture of risk awareness and strategic planning within the organization.

(05:34):
Rob, shall we move on to the risk management functions required under Solvency II?

Robert Chaplin (05:39):
Yes, thanks, Seb. Solvency II specifies key governance functions critical for effective risk management within insurers. These functions are risk management, compliance, internal audit, and actuarial. Listeners will be familiar with these terms, but it’s important to understand what Solvency II actually requires of each function.

(06:05):
Taking these in turn, risk management. Solvency II requires an effective risk management system comprising strategies, processes, and reporting procedures to identify, measure, monitor, manage, and report on a continuous basis the risks which they are or could be exposed to. This includes the responsibility to manage underwriting and reserving, asset liability management, investment, liquidity, and concentration risk management, operational risk management, and reinsurance and other risk mitigation techniques.

(06:44):
The compliance function. Solvency II requires a compliance function responsible for the insurer’s compliance with applicable laws, regulations, and administrative provisions. This function is responsible for assessing possible impact of any changes in the legal environment on the operations of the company, and identifies and assesses compliance risks. This is of always known as horizon scanning.

(07:11):
Internal audit. Solvency II requires an internal audit function, which is independent from the operational functions. Internal audit should provide assurance to the board and senior management about the adequacy and effectiveness of the internal control system and other elements of the system of governance. Actuarial. This function is responsible for calculating technical provisions, the appropriateness of the methodologies and underlying models used, comparing best estimates against experience, and reporting to the board on the reliability and adequacy of the calculation of technical provisions.

(07:52):
Seb, can you tell us how these fit into the context of the SMCR?

Sebastian Barling (07:57):
Of course, Rob. Under the SMCR, responsibility for the necessary functions is further prescribed to senior management level which ensures individual accountability. The relevant roles include a chief compliance officer, chief risk officer, chief internal auditor, and chief actuary, which nicely align with the points made above. The holders of such senior management functions, SMFs, must be approved by the PRA prior to commencing their relevant SMF duties. The PRA expects firms to vet such individuals for relevant experience, qualification, and suitability, and has been known to challenge firms where they deem an appointment inappropriate or unsuitable.

(08:33):
More generally, in implementing the SMCR, the PRA has been guided by the principle of individual responsibility and accountability on the basis that regulation is more effective if senior individuals are personally responsible for certain areas. Accordingly, senior managers are also subject to certain senior manager Conduct Rules, which are as follows.

(08:52):
Senior management Conduct Rule one. You must take steps to ensure that the business of the firm for which you are responsible is controlled effectively. Rule two, you must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system. Rule three, you must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively. Rule four, you must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.

(09:27):
And Rule five, when exercising your responsibilities, you must pay due regard to the interest of current and potential future policyholders in ensuring the provision by the firm of an appropriate degree of protection for their insured benefits. Further, an insurer is required to put in place a comprehensive and up-to-date map of management responsibilities describing its management and governance arrangements, including whether such responsibilities are shared or divided amongst different managers.

Robert Chaplin (09:53):
Let’s now pivot to another key area of focus for regulators, that’s outsourcing. This is a topic of particular importance to global financial groups, including insurers, who operate in multiple jurisdictions and have dependencies that are outside their home state. Outsourcing covers any function which the insurer could otherwise do itself. This includes claims administration, claims management, and investment management arrangements.

(10:22):
Solvency II requires that any outsourcing arrangements do not undermine the quality of the insurer’s governance system. Therefore, insurers must ensure that they retain ultimate responsibility and have effective oversight mechanisms in place. This includes conducting thorough due diligence, establishing clear contracts with compliant enforcement and monitoring mechanisms, and maintaining continuous monitoring of the outsourced activities. Importantly, boards and senior management, in particular individuals performing SMFs, can’t outsource their responsibilities, so remain accountable for monitoring and overseeing outsourced functions.

(11:09):
Further and of relevance to international groups, note that the PRA treats intra-group outsourcing as being subject to the same requirements as outsourcing to third-party providers. The PRA states that intra-group outsourcing should not be treated as having inherently less risk. In practice, compliance with rules on outsourcing can be proportional, depending on the level of control and influence over the entity that is providing the outsourced service.

(11:41):
Seb, would you like to finish by telling us about the requirements for insurers regarding operational resilience?

Sebastian Barling (11:48):
Of course. Last but not least, operational resilience has become increasingly critical in today’s fast-paced and interconnected world. Key aspects of operational resilience include identifying critical business services that could impact policy holders and market stability if disrupted; developing robust mitigation and recovery plans tailored to specific operational risk; putting in place business continuity plans, incident response strategies, and managing risks associated with outsourcing critical functions; and conducting scenario analysis and testing to assess the insurer’s ability to withstand various risks and recover swiftly.

(12:22):
Governance plays a crucial role under both Solvency II and the applicable PRA guidelines. This includes active involvement from senior management and the board to ensure that resilience measures are effective and regularly reviewed. One development to monitor for insurers based in the EU is the EU’s Digital Operational Resilience Act, or DORA for short, which comes into effect on the 17th of January 2025, which in some measures goes beyond the requirements for outsourcing under the Solvency II framework.

(12:50):
These requirements include obligations to establish an information and communication technology, i.e. ICT, risk management framework. Two, perform continuous monitoring and control of ICT systems and tools. Three, implement advanced digital operational resilience testing of ICT systems and develop a threat-led testing approach. Four, establish a third-party risk management function. Five, set up an incident classification and reporting framework for timely and accurate incident reporting to authorities. Six, develop business continuity and IT service continuity plans, including segregated and secure backup systems. And finally, seven, to find clear governance structures with top management accountability for ICT risk management.

Robert Chaplin (13:33):
Great. Thanks, Seb. And that concludes our discussion on regulatory governance requirements in the insurance sector under Solvency II. Thank you again to Seb for joining me on this episode.

(13:45):
If you have any further inquiries regarding the topics we’ve explored today or suggestions for future episodes, please do reach out to us. Any questions, comments, or queries are welcome. Thank you again for joining us, and we hope you’ll join us on our next episode of The Standard Formula.

Voiceover (14:05):
Thank you for joining us on The Standard Formula. If you enjoyed this conversation, be sure to subscribe in your favorite podcast app so you don’t miss any future episodes. Additional information about Skadden can be found at skadden.com.

(14:18):
The Standard Formula is a podcast by Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates. Skadden is recognized for its deep experience in representing insurance and reinsurance companies and their advisors on a wide variety of transactional and regulatory matters. This podcast is provided for educational and informational purposes only, and is not intended and should not be construed as legal advice. This podcast is considered advertising under applicable state laws.