Solvency II and Internal Audit
Parameter Uncertainty
Aggregation and Dependency
Stress and Scenario Testing
Contract Boundaries – Non Life
Contract Boundaries - Life
Board Considerations
© 2015 Deloitte4
• Impact of SII on Internal Audit
• To note…
• What are IA peers doing re SII
• SII areas to consider for 2016 Audit Plans
Solvency II Internal AuditOverview
© 2015 Deloitte5
Solvency II Internal Audit
Audit ‘requirement’ shift
‘Self’ Regulation
IIA Standards
Internal Audit
Best Practices
Stakeholder
Needs and
Expectations
Solvency II
Directive
IIA
recommendations
for Financial
Services Internal
audit
Law
© 2015 Deloitte6
Solvency II Internal Audit
Similarities between SII and IIA requirements
An internal audit function is a SII requirement (30) & to be appropriately
implemented as key function (guideline 5)
IA function can be outsourced (31) but have to allocate overall responsibility for
the outsourced key function in group. (guideline 50)
IA function can not be 'combined' with another function (32) & requires
independence at engagement performance level (guideline 32)
CBI should be informed prior to the outsourcing of internal audit function. (37)
(a49)
IA must have written policies for internal audit, implemented & reviewed at least
annually; prior approval by Board (a41)
IA function have to evaluate the adequacy and effectiveness of the internal
control system and other elements of the system of governance. IA function has to have a IA policy ie. charter/terms of reference.
(guidelines 9 & 33)
Minimum 'tasks' for IA function:
- establish, implement and maintain audit plan & report plan to Board;
- risk-based approach in deciding its priorities;
- issue an internal audit report to the board with findings, recommendations,
owner & implementation date;
- remediation testing (verify compliance with agreed action plans)
(guideline 34 on IA tasks)
© 2015 Deloitte7
• Internal Audit Assessment included in CP73 was not included in CP92, but in
practice the expectation is that it will be considered as part of the audit
universe. SII requires that u/takings must ensure that data used to calculate
technical provisions is accurate, appropriate and complete.
• The requirement for IA function automatically include requirement for PCF-13
• Most notable impact of SII is on insurance captives or subsidiaries of very large
insurance group, previously immaterial when group audit universe was defined
Solvency II Internal Audit To note…
© 2015 Deloitte10
Pillar 1 Assessment of Reserving process (CP92/ CP73)
- Review of processes around preparation and submission of data provided to the
Actuarial Function and around the production of the booked reserves to provide
reasonable assurance that the data is accurate and complete
Model Risk Management
- Review processes and controls around operation of the model – including
governance, segregation of duties, model maintenance and updates, data checks,
controls over third party elements.
Pillar 2 High level review of ORSA governance and processes
- Review of ORSA Policy against Solvency II requirements and market best practice.
- Review of ORSA process – governance, processes and procedures in terms of
production of the ORSA.
- Review whether the methodology used the ORSA has been appropriately
documented.
- Review evidence of stress and scenario testing considered as part of the ORSA to
ensure all key risks are captured.
- Review of Board input into the ORSA process and evidence of appropriate challenge
of the assumptions and results of the solvency assessment and developing
appropriate response strategies.
Solvency II Internal AuditSII areas to consider for 2016 Audit Plans
© 2015 Deloitte11
Pillar 3
Governance, processes and controls supporting P3 reporting
Gap analysis including compliance with Additional Insurance and Statistical National
Specific Templates and ECB add-ons (but need to be in early Q1),
Review of governance and process in respect of and quality of quantitative reporting
(QRTs):
- Assess whether a Reporting and Disclosure Policy has been documented, approved
and cascaded.
- Assess whether all relevant QRTs have been identified by reviewing the Company’s
data directory.
- Review whether the process and controls for preparation of QRTs, has been
documented and implemented.
Solvency II Internal AuditSII areas to consider for 2016 Audit Plans
© 2015 Deloitte12
Pillar 3 (continued)
Review of governance and process in respect of and quality of narrative reporting:
- Assess whether a Reporting and Disclosure Policy has been documented, approved
and cascaded.
- Solvency and Financial Condition Report (SFCR)
• Review of structure and high level content to assess whether the SFCR is in line
with Solvency II requirements and market best practice.
• Assess whether the process for producing the SFCR has been appropriately
documented.
• Review of consistency with reporting and disclosure policy.
- Regular Supervisory Report (RSR)
• Review of structure and high level content to assess whether the RSR is in line
with Solvency II requirements and market best practice.
• Assess whether the process for producing the RSR has been appropriately
documented.
• Review of consistency with reporting and disclosure policy.
Solvency II Internal AuditSII areas to consider for 2016 Audit Plans
© 2015 Deloitte14
Prediction is very difficult – especially about
the future
‒ Niels Bohr*
*Disputed – also attributed to others
Parameter Uncertainty
© 2015 Deloitte15
Some sources of uncertainty:
‒ Choice of model (e.g. large claims ~ Poisson)
‒ Choice of parameters (prescribe a value for λ)
‒ This presentation focuses on the latter
Article 229 of Delegated Acts (regarding Internal Models):
Actuarial and statistical techniques shall only be considered adequate, applicable and
relevant for the purposes of Article 121(2) of Directive 2009/138/EC where all of the
following conditions are met:
(f) The outputs of the internal model do not include a material model error or estimation
error; wherever possible, the probability distribution forecast shall be adjusted to
account for model and estimation error
Can also be of interest to standard formula firms
‒ Firms using undertaking specific parameters (USPs)
‒ ORSA considerations around standard formula appropriateness
Parameter UncertaintyRelevance
© 2015 Deloitte16
• Estimation error is the difference between an estimated value and the true
value of a parameter
• How can we be sure our parameters are appropriate?
• If we estimate parameters from (adjusted) data what would happen if we had
observed a different data sample?
• Different data samples (observed from the same distribution) may lead to very
different parameter estimates
Parameter UncertaintyIntroduction
© 2015 Deloitte17
• 5 different samples drawn from a Poisson random variable (λ = 4)
• Usual to estimate λ = sample average
• In this simple example we get values between 2.60 and 5.80; potentially leading to
very different values for λ in our model
• Updating after 11th observation will also result in different estimate for λ
Sample 1 Sample 2 Sample 3 Sample 4 Sample 5
1 6 4 9 3 2
2 5 4 7 3 4
3 3 2 5 3 6
4 4 3 2 3 3
5 3 5 6 1 8
6 3 7 7 2 3
7 4 4 4 0 4
8 5 8 5 5 4
9 3 2 3 3 2
10 1 5 10 3 4
3.70 4.40 5.80 2.60 4.00
Parameter UncertaintyExample
© 2015 Deloitte18
Use expert judgement
‒ Increase the CoV*
‒ Subjective and may be difficult to justify/validate
Incorporate results from probability theory
‒ Treat the parameter itself as random
‒ Use Bayes’ rule to derive appropriate distribution
‒ Different value of the parameter in each model simulation
Some commonly used methods/models already incorporate parameter
uncertainty (e.g. Mack or ODP)
*Coefficient of variation = the ratio of the standard deviation σ to the mean μ
Parameter UncertaintyHow to incorporate
© 2015 Deloitte19
Depends on number of data points, “spread” of data points etc. but….
Here are some (standalone) examples:
Parameter UncertaintyImpact
*for illustrative purposes only
% increase
in CoV
Poisson - Sample 3 4.0%
Irish Motor Claims 2005-14* 49.2%
Reserve USP based on Taylor/Ashe data 9.7%
© 2015 Deloitte21
Dependency describes the relationship between two or more variables
Dependency assumptions a key input into any model
‒ Will impact diversification benefit
‒ Key focus of regulatory scrutiny
Implicit dependency
‒ Inflation
‒ Impact of CATs
‒ Shocks/Binary Events/ENIDS
Explicit dependency
‒ Usually via a copula
‒ Need to choose a copula and parameters
‒ Commonly use Gaussian Copula (“the formula that killed Wall Street”)
Aggregation and dependencyIntroduction
© 2015 Deloitte22
• Correlation and dependency often (incorrectly)
used interchangeably
• Correlation is a measure of linear dependency
• Dependency is not always linear
• Not all dependent variables are correlated
• In the following examples correlation = 0
• Do you think they’re independent?
Graph source: Wikipedia
Gaussian Copula
Aggregation and dependencyCorrelation vs dependency
© 2015 Deloitte23
In times of stress apparent
dependency can increase
‒ “All the correlations go to 1”
Tail dependence measures how
variables behave under extreme
conditions
‒ Can be “good” or “bad” tail
dependency
Can be underestimated (or missed completely) if data is observed over a period
of benign experience
‒ e.g. Operational risk modelling
Models lacking tail dependency can underestimate extreme events and hence
capital requirements
‒ Long term capital management
‒ 2008 financial crisis
Value scatter
-4
-3
-2
-1
0
1
2
3
4
5
-5 -4 -3 -2 -1 0 1 2 3 4
Variable 1
Va
ria
ble
2
Aggregation and dependencyTail dependence
© 2015 Deloitte24
All models are wrong, but some models are
useful
‒ George Box
A word of warning…….
……is yours one of the useful ones?
© 2015 Deloitte
Sensitivity Testing - Straightforward and common technique to assess financial impact
of adverse changes in a single risk parameter (single factor analysis) relative to a best
estimate view. Sensitivity testing can be used to highlight whether a risk or assumption is
material.
Stress Testing - In a stress test, a single or a small number of connected risk factors are
stressed in isolation from other risk factors and the effect on the economic balance sheet is
calculated. A stress test can therefore serve to analyse the exposure of a company to
specific (individual) risk factors.
Scenario Testing - A scenario tries to define and include all risk factors to which a
company may be exposed. Scenarios do not predict future development, but rather
illuminate extreme but still possible situations.
Back-testing - A comparison of the actual observed (historical) values of key financial
variables with the predictions generated by the stress-testing models. Back-testing can be
used to validate the robustness of stress testing models.
Reverse Stress Testing – These are stress tests that require a firm to assess scenarios
and circumstances that would render its business model unviable, thereby identifying
potential business vulnerabilities.
Stress and Scenario TestingDefinitions
26
© 2015 Deloitte
Stress and Scenario TestingLessons to be learned from the banking sector
Paper highlighted weaknesses in stress
testing practices employed prior to the crisis
in 4 key areas:
i. Use of stress testing and integration in
risk governance;
ii. Stress testing methodologies;
iii. Scenario selection; and
iv. Stress testing of specific risks and
products.
Performance of stress testing
during the crisis
May
2009
27
© 2015 Deloitte
Stress and Scenario TestingLessons to be learned from the banking sector
Stress testing
methodologies
Broad spectrum of methodologies, very
simple to very complex.
Models largely built on historical data and
statistical relationships.
Inability to identify and aggregate exposures
across the bank.
Use of stress testing and
integration in risk governance
Lack of Board and Senior management
involvement
Isolated exercise by the risk function.
SST frameworks not flexible to respond to
economic changes.
Risk-specific stress testing was usually
conducted within business lines.
Stress testing of
specific risks and products
Particular risks that were not covered in
sufficient detail in most stress tests include.
• the behaviour of complex structured products
under stressed liquidity conditions.
• pipeline or securitisation risk.
• basis risk in relation to hedging strategies
• counterparty credit risk
• contingent risks
• funding liquidity risk
Scenario Selection
Scenarios very benign. Stress tests did not
even broadly match actual developments.
Significantly underestimated correlations.
Scenarios ignore multiple risk factors or
feedback effects.
Historical scenarios unable to capture risks in
new products and changing exposures.
Funding and liquidity issues not considered
adequately.
28
© 2015 Deloitte
Stress and Scenario TestingTypical Framework for Stress and Scenario Testing
Risk StrategyRisk and
owneridentification
Risk quantification& validation
Reporting and review
Businessapplications
Stress andscenario
development
29
© 2015 Deloitte
Stress and Scenario TestingMaturity Ladder
Risk StrategyRisk and
owneridentification
Risk quantification& validation
Reporting and review
Businessapplications
Stress andscenario
development
- Clear governance, and well
developed frameworks.
- Business functions engaged in
identifying risks and developing
scenarios.
- SST linked to business plan
and changes in risk profile.
- Complimentary and
independent risk perspective to
Economic Capital Models.
- Reasonable evidence of
embedding in decision making.
- Stresses based on a 1-in-200
event from the EC model.
- Additional focus on risks not
covered in SCR.
- SST focussed on one metric
only (SCR).
- SST treated as a compliance
exercise.
- Very technical output.
- Attention to emerging risks and
changing risk profile.
- Wider range of scenarios,
including control failures.
- Peer analysis, and industry
benchmarking,
- Wide range of metrics used,
IFRS, EEV, SCR, Liquidity.
- Mitigating actions developed
for different scenarios.
- Perform reverse stress testing
and back-testing.
- Strong evidence of embedding
in decision making.
- SST performed at different
confidence levels and multi-
period time horizons.
- Developing early warning
indicators and trigger points for
management actions.
- Realistic contingency actions
through techniques such as
war-gaming.
- Views from internal and
external experts on scenarios
and contingency plans.
- Wide range of reverse stress
tests, extended to disaster
management and recovery
planning.
- Reporting and communication
tailored to different audience.
Primitive Basic Advanced Leading
30
© 2015 DeloitteSolvency II
Stress and Scenario TestingGeneral Insurance Stress Tests
• In July 2015 the PRA sent a request to the UK’s
largest general insurers to participate in a stress
test exercise.
• The GIST have 9 scenarios guided by the
regulator, plus two additional insurer specific
scenarios.
• These stress tests have been
designed to complement the
ongoing work of the PRA in
assessing the resilience of UK
insurers and in monitoring how
insurers are developing their
Own Risk and Solvency
Assessment.
• The full document on GIST can
be found here:
• http://www.bankofengland.co.uk/
pra/Documents/supervision/activ
ities/generalinsurancestresstesti
ngjuly2015.pdf
• http://www.bankofengland.co.uk/
pra/Documents/supervision/activ
ities/gist2015.xlsx
31
© 2015 Deloitte33
Contract Boundaries – Non LifeRecognition of obligations
Delegated Acts, Article 17
“… undertakings shall recognise an insurance or reinsurance obligation at the
date the undertaking becomes a party to the contract that gives rise to the
obligation or the date the insurance cover begins, whichever date occurs
earlier….”
Treatment of bound but not incepted business at valuation date?
Future premium and claims cash flows should form part of premium
provisions, unless the undertaking has a “unilateral right to cancel” the
contract.
© 2015 Deloitte34
Contract Boundaries – Non LifeRecognition of obligations – impact on premium volume
measure
Premium risk volume measure at t=0
IRD ------------- ----------------------
IRD ------------
IRD -----
t-1 t t+1 t+2
IRD Initial recognition date of contract
P(last,s)
Ps
FP(existing,s)
FP(future,s)
Premium excluded
© 2015 Deloitte35
Contract Boundaries – Non LifeBoundary of a recognised contract
Undertakings should consider the boundary of a contract to be the point in time in the
future which the undertaking has a unilateral right to cancel the contract, reject the
premium or amend the premium or benefits (“unilateral right to cancel”).
Treatment of multi-year contracts (technical provisions)?
• All future premium and claims cash flows for the whole of the multi-year
contract should form part of technical provisions, unless the undertaking has
a “unilateral right to cancel” the contract.
• Any obligations which relate to cover provided after the date in which the
undertaking has “unilateral right to cancel” do not belong to the contract
unless the undertaking can compel the policyholder to pay the premium for
those obligations.
© 2015 Deloitte36
Contract Boundaries – Non LifeBoundary of a recognised contract - impact on premium volume
measure
EIOPA Q&A set 8 on the Preparatory Phase Technical Specification (10/07/2014)
There should not be a link between the contract boundary and the premium and
reserve risk modules, as it is factor based.
Technical Provisions
No profits / losses are recognised
beyond this point defined as the
contract boundary.
Premium volume measure (SCR)
The premium volume measure is the
expected value of premiums
irrespective of what point in time is
defined as the contract boundary.
© 2015 Deloitte38
Contract Boundaries – LifeReviewable products & unit-linked savings
Reviewable products
• General Irish market practice is that the contact boundary is the date of
review and the policy is assumed to become paid-up after that date.
Regular premium savings products
• General Irish market practice is that the contract boundary is assumed to
be immediately and no future premiums from the valuation date forward, in
most cases.
Solvency II rules prevent the recognition of future premiums
unless there is a future material insurance event or financial
guarantee.
© 2015 Deloitte39
Contract Boundaries – LifeExample – Regular premium unit-linked savings products
Sold a regular premium unit linked savings product on the 1st of December
with the following features.
• Monthly premium of €400;
• Management charge of 2% per annum;
• Per policy expenses of €60 per annum;
Assumptions used in example; Flat interest rate of 3%, Surrender rate of 20%
Value with no contract boundary as at 31st December
• Assume future premiums of €400 per month
• Very profitable policy with a negative non-unit reserve of circa €1,200
Solvency II basis with contract boundary as at 31st December
• Assume no future premiums
• Positive non-unit reserve of circa €220
© 2015 Deloitte40
Contract Boundaries - LifeConsiderations
Expenses after the contract boundary
• Do you use full expenses, paid-up expenses or another expense
assumption after the contract boundary?
Extending the contract boundary
• Some insurers are considering adding free benefits to insurance
contracts to extend the contract boundary.
Preference for higher own funds
• Depending on your preference for higher own funds and potentially a
lower coverage ratio or vice versa could influence how companies
approach the application of the contract boundary.
© 2015 Deloitte42
Solvency II Board Considerations
General
• Board responsibility – Article 40 Directive
Boards have … “the ultimate responsibility for the compliance, by the
undertaking concerned, with the laws, regulations and administrative provisions adopted
pursuant to this Directive.”
• Are board members aware of all of their responsibilities under Solvency II?
• Are board members equipped with the skills, tools and knowledge to challenge
management and to conclude that the undertaking is compliant with Solvency II?
• Is there undue reliance on any one board member?
• Is there a clear and credible plan of activities from now until the first annual report is
submitted in 2017?
© 2015 Deloitte43
Solvency II Board Considerations
Pillar 1
• Is there a clear understanding of the differences between the Solvency II balance sheet
and financial statements / Solvency I balance sheets?
• Solvency II risk margin is a very different concept to Solvency I margin for uncertainty
(non-life undertakings)
• Capital coverage ratio on a Solvency I vs Solvency II basis
• What are the drivers of SCR? What might cause it to fluctuate?
© 2015 Deloitte44
Solvency II Board Considerations
Pillar 2
ORSA:
• Have board members been actively involved in identifying risks and stresses?
• How have board members steered the ORSA process?
• Has ORSA been used in any board level decisions?
Standard formula appropriateness: Have board members challenged the analysis and
any resulting actions?
Key control functions:
• Risk management: Is there sufficient challenge from risk management, including at
board level?
• Compliance function: Advises board on compliance with Solvency II
• Actuarial Function Report: Is the board aware of changes to the role of the actuary
under Solvency II?
© 2015 Deloitte45
Solvency II Board Considerations
Pillar 3
• Board is responsible for approving annual QRTs, narrative reports and Day 1 QRTs
• Do board members have a good understanding of the QRTs?
• Has there been a dry run to populate QRTs and test the CBI portal?
• Can management provide sufficient evidence to the board of the controls around the
population of QRTs / narrative reports and the quality of data in the reports?
• Is there sufficient time in the 2016 plan for Board review and challenge of regulatory
submissions?
© 2015 Deloitte© 2015 Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
With nearly 2,000 people in Ireland, Deloitte provide audit, tax, consulting, and corporate finance to public and private clients
spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings
world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex
business challenges. With over 210,000 professionals globally, Deloitte is committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services
Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of
the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this publication, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business.
Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified
professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person
who relies on this publication.
© 2015 Deloitte. All rights reserved
Top Related