The continuously evolving complexity of the risk system accentuates the uncertain context in which the modern enterprise must operate. In this context, the insurance undertaking, which institutionally assumes risks transferred from other economies as its core business, is itself exposed to the risk that notoriously pervades all companies. Therefore, over time the management team must define the level of uncertainty that the undertaking can accept, i.e. the level of vulnerability compatible with the value creation objectives.
Though risk governance is a distinctive trait and an essential and fundamental component of business management by definition, the growth of success of the risk culture within insurance management companies seems to be a rather new conquest, primarily deriving from the significant changes in the insurance sector in recent years.
In the European context, the Directive 2009/138/EC, also known as Solvency II, and which came into force on 1 January 2016, imposed a structured and global paradigm to protect company solvency according to a risk-based approach, one which places at the centre of the supervisor, undertakings and marketās attention, the quantity and quality of risk that all undertakings assume with their financial resource investment decisions and commitment towards insured parties.
From a systematic perspective, the Solvency II supervisory framework is structured across three pillars. The first pillar sets out the quantitative solvency requirements, which, in a risk-based overview, in addition to the capital requirements considers the correct assessment of all obligations towards policyholders, the diversification of investments and their coherence with the liabilities and risk appetite defined by senior management, the profitability and sustainability of products offered over time and the capability to mitigate technical and financial risks.
Nevertheless, we know that the simple quantitative measures are not always sufficient to identify and appropriately define all risks to which a company is exposed. Solvency II does not simply require that insurance companies have appropriate capital requirements to tackle the various company risks, it also encourages them to develop a genuine corporate risk culture in order to protect shareholders, lenders and stakeholders in general. The Board of Directors and the senior management team are the first to be called upon to meet high standards of ethics and integrity, so as to spread said culture to all company levels.
Consequently, within the second pillar the Solvency II Directive confirms the central role of control activities and the functions assigned to overseeing the internal controls system as fundamental elements of an effective governance system intended to provide for a sound and prudent management of the business.
The integrated management of the various company risks must acknowledge, now more than ever, the preparation of adequate internal control systems to identify and cushion the risk potentially undermining tangible value creation in a business area such as insurance, which has unique operating profiles.
The internal controls system, also according to the ratio of supervisory regulations, must be understood as all the regulations, procedures and organisational structures used to ensure the undertakingās correct functioning and good performance in accordance with the pre-established objectives. It must then be used to pursue, with a good level of security: the efficiency and effectiveness of company processes; a valid risk control; the integrity and reliability of the accounting and management information; the monitoring of the undertakingās assets; and the compliance of the undertakingās activities with law and regulations.
An effective control system must guarantee a close interconnection with all other variables present within the company system such as organisational, individual, technical and social variables. This system must present a clear distribution and appropriate segregation of responsibilities, in addition to making it possible to transmit information effectively. The Solvency IIās second pillar envisages a corporate governance system based on a system of internal controls and risk management structured across the following four functionsāall pertaining to the end responsibility of the company Board: risk management, compliance, internal audit and actuarial function, which must bolster the āthree lines of defenceā structure.
Current trends in the insurance and financial sector therefore impose on undertakings the need to develop increasingly sophisticated business control mechanisms that are capable of monitoring and constantly managing the growing operational complexity and correlated risk profiles.
Following the financial crisis, the issue of risk governance in the financial sector rose to prominence. Risk governance may be defined as the framework of rules, relationships, systems and processes within organisations with regard to the management and control of risk. This involves a stronger risk oversight according to an enterprise-wide risk management approach. Though insurance companies were affected to a lesser extent by the financial crisis than banks, and their core businessārisk underwritingādid not feel its effects, it has nevertheless been demonstrated that insurance companies with a stronger risk governance structure might be able to better control their shortfall risk.
Nevertheless, it is necessary to mention that risk governance must not only be considered a defensive activity. During non-crisis periods, the purpose of risk governance is not to reduce risk per se, but to support appropriate risk-taking and increase the probability that a firm might achieve its business objectives.
In this respect, the ever more central role of the risk management function is revealed, now seen as a concrete governance tool in support of the administrative body. Diligent risk management, no longer only considered as a burden to bear, but recognised as a possible success factor, may allow for a tangible increase in efficiency in company resource allocation, so as to guarantee an improvement of those company performances and a concrete competitive advantage.
The development of the risk culture, i.e. a system of shared values and common regulations created in the undertaking in order to protect it from the risks to which it is exposed, is therefore fundamental for correct risk management activities, provided that said culture makes it possible to acquire awareness of the risks, communicate the information obtained during their assessment and contribute to their management in an effective and efficient way.
No longer informally managed, relationships evolve by necessity towards an ever greater integration in terms of models, methodologies and tools in order to adequately capture all types of risk, including those not currently reported or even for which the related quantitative models have not been developed.
It is essential to bolster and organise an enormous amount of technical and financial abilities within the risk management function, independently of the operating functions, in order to still guarantee autonomous and clear reporting in relation to the risks considered.
A fair and appropriate identification and assessment of risk requires the continuous collection, by the undertaking itself, of information regarding the internal, external, existing and prospective risks it may incur during its activities, involving all operating processes and functional areas.
The demand for integrated databases that are easy to consult and contain the most complete and processable information undoubtedly represents the starting point for a risk sensitive approach when creating company policies and defining supervisory requirements from a Solvency II perspective.
Adopting an integrated risk management system, with consolidating strength with respect to considering the risks to which the company is exposed, maybe very complex; this complexity must not, however, serve as a deterrent when undertaking the overall project.
The book is divided into six chapters including the Introduction.
ChapterĀ 2 highlights the peculiarity of features and risks that insurance undertakings have to face. Consequently, it focuses on the role of internal control systems, which become a key concern to cope with the complexity of insurance activity. The chapter ends by analysing the motivation and evolution of external regulation using a European and international vision
ChapterĀ 3 focuses on the role and characteristics of a systemic approach to risk governance capable of tackling the growing complexity of the uncertainty in the financial markets, and within them, the activities of insurance intermediaries. In this context, the Enterprise Risk Management (ERM) process enables firms to approach risks in an enterprise-wide, consolidated, structured, dynamic and continuous manner from a long-term perspective. The chapter concludes by focusing on an integrated approach to the classification, assessment, management and control of the various risks faced by the insurance sector: not only underwriting and reserve riskātypical of the insurance sectorābut also market, credit, liquidity, operational and compliance risk.
ChapterĀ 4 analyses the regulatory principles of the second pillar of Solvency II, which is constituted by provisions pertaining to corporate governance, risk management and the internal control system and, secondly, by the regulation of supervisory activities, instruments and powers. In particular, the chapter focuses on the key four functions of the risk governance system: risk management, compliance, actuarial and audit function, which bolster the āthree lines of defenceā structure.
ChapterĀ 5 highlights current trends in the insurance and financial sector and analyses how internal controls of undertakings have to be adapted to better cope with the evolving scenario, where insurance activities become ever riskier and more complex. Furthermore, the chapter focuses on the impact of these potential changes on external regulation and on the needed revision of the existing regulatory regime.
ChapterĀ 6 proposes an assessment model in order to enable the internal audit function to express a synthetic opinion about the companyās internal control system on an annual basis. The model is constructed starting from the risk types defined by the company organisational model, identified within the entity level risksāwhich affect the overall company structureāand within the process level risks, which affect individual company processes and are influenced by the first ones.