ARCLogics Sword Blog

They aren’t ready yet but there’s still some time to go. Having said that, many of the insurers we are working with are well advanced in their Solvency II preparations. Insurers appear (sensibly) to be taking a stepwise approach to Solvency II

• Step 1: Appoint a programme manager and plan the project.
• Step 2: Focus on Pillar 1 and the data and processes for calculating capital requirement.
• Step 3: Focus on Pillar 2 and the ERM and ORSA requirements
• Step 4: Focus on the reporting requirements of Pillar 3.

Each step requires different skill sets, and we can track the progress insurers are making by looking at who they are recruiting. Step 1 needs program managers, Step 2 actuaries and steps 3 and 4 require risk management skills. What we are seeing right now is that, as insurers complete step 2 (or at least have it under control) they are starting to look at Step 3 and are looking for risk management expertise. In particular, this expertise is needed to decide how to approach the ERM requirements of Solvency II.

In our experience, the larger insurers see Step 3 as an opportunity to embed risk management throughout the organisation and are using products like Sword as a foundation for this. Smaller insurers don’t necessarily have the resources in house for this but vendors such as ourselves are starting to make it easier by introducing solutions that include a pre-configured ERM framework for Solvency II, and pre-populated risk and control libraries.

Mike MacDonagh

Nobody doubts the importance of Solvency II to the insurance industry in Europe but will it achieve what it is setting out to with regard to good governance? The question is a bit broad so, more specifically, will Solvency II really result in insurers linking their capital calculations to their risk appetite and, through the ORSA, to their risk management frameworks? Also, will they really consolidate the different risk silos into an enterprise risk management framework that will increase the risk awareness of executive management and enable risk-based decision making?

It would seem like a no-brainer, but the problem lies in the ROI, or rather, the lack of it. The returns from investing in good risk management tend to manifest themselves in the form of bad stuff not happening but, set against investments that generate positive revenue streams, the comparison can be invidious and the argument for investment a tough one to win.

So what happens next? Faced with the choice between treating Solvency II as an opportunity to invest in an enterprise-wide ERM framework to underpin its capital calculations and help ensure good decision making or treating it as a a series of isolated compliance problems, how many insurers will opt for the latter? After all, this is more or less what happened with the response to Sarbanes-Oxley. If it costs less in terms of cash and organisational investment, will executives simply pass it to compliance and ask them to “keep the regulators happy”?

I guess time will tell, we are already working to implement ERM frameworks for some large insurers who are definitely taking the ‘high road’ in response to Solvency II, let’s hope they aren’t alone.

Mike MacDonagh

For both Enterprise Risk Management and GRC, we have been encouraged to think of individual silos of risk management or compliance function as a bad thing and their removal as a sign of increasing ERM or GRC maturity. This doesn’t have to be true and indeed, there is a growing belief that it is important to retain the right kind of silos.

Take Audit; there has been a rush among GRC vendors to add audit function to their offering and to integrate it tightly with the risk management and compliance function. As the leading vendor of audit systems, CCH TeamMate are starting to hear of dissatisfaction with this approach. Independence is vital to the auditors’ role and it needs to be guarded jealously. Most importantly, auditors want to be free to choose the best audit tool for their requirements, usually from a specialist supplier.

In this case, Audit Management is a “best of breed” solution that needs to be joined up with other governance, risk and assurance solutions but that integration needs to reflect the needs of auditors and to continue to be developed exclusively with those needs in mind. The same is true of many areas of compliance and risk management. These areas are staffed by skilled experts and those experts need to be given the tools to do their jobs properly.

The trick is to be able to bring these “best of breed” solutions together in the right way to provide management not just with a ‘joined-up’ view of risk, compliance and audit but also with tools that enable them to do something about it.

In our view, the ‘central’ GRC platform needs to have:

• A data warehouse that contains a common view of:
  • the organisational structure
  • the process structure
  • risk and control categories
• Issue and Action Management
• Key Risk and Performance Indicators
• Risk Analytics
• Dashboards and Reporting

This is supported by ‘best of breed’ solutions for:

• Loss Recording
• Risk & Control Self Assessment
• Audit Management
• Compliance Monitoring (e.g. AML, SOx, etc.)
• Continuous Control Monitoring
• Controlled Document Management (inc. Policy & Procedure Management)
• Other risk management solutions (e.g. Credit Risk, Market Risk, etc.)

Mike MacDonagh.