3.01  Insurers fulfil an essential role in the economy as managers of insurable risk over potentially long periods of time. Performance may only take place when an insured event occurs. Alternatively, policyholders may not have a right to immediate or early redemption of the policy, in case premiums have been invested on their (p. 44) behalf. Thus, insurers are expected to have sound governance practices to support this specific role and position.¹

3.02  This role requires a corporate culture and environment of shared values and respect of sound ethical principles.² Overall, this is a system which is composed of corporate structures (board of directors, senior management, key functions) and related governing policies (by-laws, organizational rules, committee and key functions mandates). In addition, corporate governance of insurers is closely related to the decision-making processes and actions linked to the firm’s corporate environment and framework of structures, policies, and controls.

3.03  As financial institutions accepting private savings in return for future payments, insurers are faced with the moral hazard of acting in short-term profitable transactions that may jeopardize their ability to meet their long-term obligations. Accordingly, expectations with regard to governance practices of insurers in general exceed those of most other corporations.³

3.04  These expectations are reinforced by the prudential regulatory framework under which insurers operate. This emphasizes insurers’ responsibility for managing and controlling their risks and establishing appropriate policies and practices. Prudential regulation and supervision may intervene at the various levels (licensing, fit and proper management, solvency and insurer investments, policyholder protection funds, resolution regimes).

3.05  Corporate governance requirements define roles, responsibilities, and accountability.⁴ They define the duties and the legitimate powers to run the business and under which conditions. Corporate governance sets requirements for taking decisions and actions, in line with the business purposes and rationale of the undertaking, and for disclosure to the supervisor and other stakeholders. It should also provide for corrective action in case of non-compliance or failure. Moreover, corporate governance requires an organizational structure with an appropriate segregation of duties. There should be a trade-off between an efficient decision-making process (because an insurer has to be responsive to make timely decisions), and appropriate systems, controls, and limits to ensure that business operations are driven by the best interest of policyholders and the insurer as a whole.⁵

(p. 45) 3.06  In the aftermath of the crisis, as was also the case for other types of financial institutions—in particular banks, regulators, supervisors, investors, shareholders, and policyholders alike—the effectiveness of the existing corporate governance system in overseeing insurance companies, and, in some cases, their excessive risk-taking, was questioned.⁶ Corporate governance mechanisms can affect executives’ risk-taking preferences—and, as such, firm risk—which is relevant to owners and policyholders. The regulatory importance of this analysis becomes obvious in light of Solvency II, which provides for the redefinition of capital adequacy, risk management, and disclosure requirements for insurance companies in the European Union. In the Solvency II framework, capital adequacy, risk management, and disclosure requirements are all areas that have been closely linked to corporate governance.⁷

3.07  Having this as a general framework, there should be adequate recognition of the nature, scale, and complexity of the business of insurers and of the risks to which they are exposed (life, non-life, retail, business, reinsurance, etc), as insurers have very different risk profiles, diversification, size, and business models.⁸ Thus, EU prudential regulation, with its sets of high-level corporate governance principles, has to deal with the specificities of the insurance sector and needs to have sufficient flexibility to take into account the characteristics of each type of insurance activity and various forms of corporate structure (mainly stock companies, but also mutual and co-operative). There are also expectations to shape corporate governance frameworks of financial institutions in a comparable and similar way for all types of financial institutions, often using banking regulation as the underlying template.⁹ Thus, the governance framework for insurers should be well-defined and is becoming even more comparable to the framework for other financial institutions.¹⁰

3.08  Governance structures for insurers differ amongst European jurisdictions. Boards may be structured in various ways depending on, among other things, jurisdictional corporate law.¹¹ Despite the differences, two distinctive functions commonly need to be performed: (i) setting the overall strategy and (ii) oversight, execution, and management. These functions can either be entrusted to a single body or spread over separate bodies. In many jurisdictions, the corporate body responsible for oversight and overall strategy and policy is the board of directors. The board relies on the senior management which is responsible for executing decisions made by the board and for managing the insurer on a day-to-day basis.

3.09  In some European jurisdictions, an insurer’s board includes executive directors, who are managers and employees of the insurer, and external directors, who are independent or disinterested board members. Outside directors are often part of the governance requirements prompted by Member States’ insurance legislation to promote the independence of the board’s decision making.

3.10  One-tier boards typically have overall responsibility for the insurer but are allowed, by law, to delegate management of the insurer to a CEO. In other European Member States, insurers are required by general company law or other regulation to spread the board function over two formal bodies usually called a supervisory board and a management board. In a two-tier system, the supervisory board is responsible for oversight on the overall course of business and strategy of the company while strategy setting, execution, and management are carried out by a management board whose chairman is sometimes named as CEO. The supervisory board may have, in some cases, additional tasks, including the approval of important strategic and corporate decisions.

3.11  Because of the coexistence of the two approaches, the European insurance sector requirements are based on a functional perspective to be applied consistently across Europe.¹² The Directive¹³ comprises a considerably high level of detail concerning (p. 47) principles and requirements of the system of governance, especially compared to the Level I and/or Level II texts (implementing measures) of other EU directives on financial services. The Solvency II Directive covers the most important issues to be regulated to ensure appropriate governance standards within insurance and reinsurance undertakings. Therefore, the scope of essential and extensive measures on Level II¹⁴—with some specific exceptions, such as the Level II rules on outsourcing, remuneration, risk management, and valuation—has been limited.¹⁵ Moreover, Article 50 of the Directive stipulates the minimum contents of the Level II implementing measures. These are the reasons why the provisions of the 2nd Pillar concerning the corporate governance of insurance undertakings also include the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines supplementing the Solvency II requirements, as provided by the Directive and the Implementing Measures, to foster supervisory convergence across the EU Member States.

3.12  With regards to the overall system of governance for insurance and reinsurance undertakings, Section 2 of Chapter IV of the Directive focuses on the regulation of the following main issues: general governance requirements, fit and proper requirements, risk management, internal control, outsourcing, and the prudent person principle. The ‘general governance requirements’ (Art 41) aim at the implementation of an effective and proportionate system of governance, which provides for sound and prudent management of the business and sets out the implementation of written policies concerning the primary functions of the undertaking (i.e. risk management, internal audit, internal control, outsourcing), including the development of contingency plans.

3.13  The ‘fit and proper requirements for persons who effectively run the undertaking or have other key functions’ (Arts 42–43) aim to ensure that all the persons that effectively manage the undertaking or perform key functions within the undertaking are fit and proper, meaning that they comply with both professional and reputational standards. The ‘risk management’ requirements (Art 44) aim to set standards for the implementation of an effective risk-management system within the undertaking, comprising strategies, processes, and reporting procedures (p. 48) necessary to identify and manage the main risks to which the undertaking is exposed, at both an individual and group level, including the ‘own risk and solvency assessment’ activity (Art 45). ‘Internal control’, ‘internal audit’, and ‘actuarial function’ (Arts 46–48) aim to implement an adequate internal control system, internal audit function, and actuarial function with the undertaking.

3.14  These governance requirements are addressed and, in some cases, further developed in the Implementing Measures and the EIOPA Guidelines on the System of Governance. It is worth remembering that both the Solvency II Directive and the EIOPA Guidelines are addressed to the competent national authorities that should implement—at the national level—suitable measures within the specified time framework to ensure compliance with the provisions of the Solvency II Directive and the EIOPA Guidelines.¹⁶

3.15  In cases of failures or near-failures of insurers, weak governance and ineffective internal controls and risk management are often associated with the problems that arose.¹⁷ A board is responsible, more than ever, for understanding and supervising the insurer’s strategy and risk appetite. For a variety of reasons, some boards may be not well informed, or do not realize, or did not have the appropriate understanding of the financial condition and risks faced by the insurer.¹⁸ In other cases, preference could have been given to short-term profits rather than to policyholders’ and beneficiaries’ interests. Boards often know much less about an insurer’s financial condition than management. Consequently, due consideration must be paid to the requirements of individual directors, their knowledge of the business, their continuing education needs/requirements, the development of ethical and honest conduct and decision making, and their awareness of their personal responsibility and fairness.¹⁹

(p. 49) 3.16  Following best practices at international level, the Solvency II Directive requires all insurance and reinsurance undertakings to have in place an effective system of governance which provides for a sound and prudent management of the business.²⁰ That system shall at least include an adequate transparent organizational structure with a clear allocation and appropriate segregation of responsibilities, as well as an effective system for ensuring the transmission of information.²¹

3.17  In line with corporate governance best practices, the EIOPA Guidelines put particular emphasis on the company’s organization by referring, as usual, to four main areas: an effective system of governance (comprising risk), the internal control system, the organizational and operational structure, and the decision-making process. Like the existing governance requirements for credit institutions and investment firms set out in the regimes laid down in the Capital Requirements Directive and the Markets in Financial Instruments Directive, under Solvency II the administrative, management, or supervisory body is at the centre of the governance system.

3.18  The nature and structure of the administrative, management, or supervisory body varies with the national company law applicable in the jurisdiction in which the insurance undertaking is incorporated. The term ‘administrative, management or supervisory body’ (hereafter, the AMSB) covers the single board in a one-tier system and the management or the supervisory board of a two-tier board system. According to the Directive, the responsibilities and duties of the different bodies should be seen having regard to different national laws. When transposing the Level I text, each Member State has to consider its own system and attribute each responsibility and duty to the appropriate board.

3.19  The primary governance requirements focus on the duty of the AMSB to be informed.²² Committees (if established), senior management and key functions are the interlocutors with whom the board has to interact, ‘proactively requesting information from them and challenging that information, when necessary’. It seems impossible to miss that the provision requires directors to behave proactively. This means that the AMSB has to carry out a rather strict duty of monitoring. Indeed, directors not only have to check the information provided but should also independently collect relevant information. This solution could affect the general (p. 50) principle that directors can rely on officers’ information. In this case, the liability of non-executive directors would increase dramatically. Furthermore, it is necessary to highlight that the Solvency II Directive does not make any explicit reference to a proactive behaviour, but it instead refers to, among other things, an effective system of governance and requires the implementation of appropriate segregation of responsibilities. It is questionable whether a too broad monitoring duty is compatible with effectiveness, and whether it allows the separation of executive and non-executive tasks.

3.20  As to the organizational and operational structure,²³ a close link exists between organisation and effective operation, provided that they support each other. Both are necessary to ensure a proper flow of information among the undertaking’s different levels of hierarchy. In this regard, the organizational structure determines the tasks and assignments, while the operational structure settles the way of performing the tasks. In any case, it is ultimately the AMSB that has the responsibility for execution and it is not bound by recommendations included in the findings of the key functions. Although EIOPA in the explanatory text to Guideline 5 clearly states that the AMSB is apparently not entitled to suppress or tone down the results of the key functions,²⁴ it is not fully clear how the AMSB can reach different conclusions without pressing the several functions to get new data capable of supporting its position.

3.21  Lastly, the organizational and operational structure is based on a cost benefit approach. This represents a fundamental change to the earlier generations of EU insurance directives, that were based on the ‘one size fits all’ principle. This new approach, on the one hand, introduces more flexibility in the corporate governance system of each undertaking and, on the other hand, increases the responsibility of the board, if compared to the previous regulatory framework. Undertakings have to review their system of governance periodically (as well as in the case of particularly significant events), under the ultimate responsibility of the AMSB.²⁵

3.22  EIOPA does not require a mandatory organizational structure of separate units focusing on risk management, compliance, internal audit, and actuarial function.²⁶ (p. 51) The undertaking is still permitted to combine each function based on its own specifics. However, the Solvency II regime provides a mandatory model for the written policies required by Article 41, relating to the risk management, internal control, internal audit, and, where relevant, outsourcing, and for any further policy the undertaking decides to implement.²⁷

3.23  The primary goal of Solvency II is the protection of policyholders and beneficiaries.²⁸ However, other goals should be taken into account by the insurer as well, including financial stability and fair and stable markets as long as this is not to the detriment of the primary goal of Solvency II. Besides, supervisory authorities may also take into account in their supervisory task the impact of voluntarily adopted codes of conduct and transparency codes when insurers invest in non-regulated or alternative investment categories. The alignment between the primary goal, protection of policyholders and beneficiaries, and expectations of another nature may present additional challenges from a governance perspective. As can be observed in initiatives such as the European Capital Markets Union, as well as the European Action Plan on Sustainable Finance, there is an expectation for insurers to contribute to the goals, pursued through these initiatives, in particular through their investment behaviour.²⁹

3.24  In these EU initiatives, certain types of investments (e.g. infrastructure, sustainable investments) receive a specific focus within the more generic investment categories such as equities, bonds, etc.)³⁰ These investments might benefit from a more favourable capital treatment than other types of investments in these categories. These investments are not per se less risky than other investments in the same investment category, and such investments might not necessarily be prudent from a policyholder protection perspective. Therefore, additional safeguards will be built in to justify such preferential treatment. Such measures may include qualitative requirements concerning these investments, as well as additional governance requirements (p. 52) specifically aimed at these specific assets. As an example, the possibility for insurers to invest in infrastructure investments³¹ with a lower capital charge than other investments in the same investment categories is confined to certain types of qualifying infrastructure investments and imposes on the insurer more prescriptive due diligence requirements, checks on (potential) conflicts of interests, modelling, stress-testing, etc. Similar mechanisms can be observed for other investment categories (such as securitizations, mortgage loans) and it can be expected that, for instance, in the context of sustainable finance, this approach might be taken as well. It should be noted that some or many of these investments might be harder to assess than other investments, for instance, because the investments are not admitted to trading on regulated markets, which might pose additional challenges concerning valuation. This requires additional safeguards concerning such assets.³²

3.25  An additional safeguard for the appropriate assessment of the risks is, of course, the own risk and solvency assessment (ORSA) process, which is discussed in more detail in Section V of this chapter. As part of this process, the AMSB should challenge the assumptions behind the calculation of the solvency capital requirements to ensure these are appropriate given the assessment of the undertaking’s risks. This provides an additional safeguard that, where such goals are pursued by the insurer, in addition to policyholders’ interests, this does not go against the primary goal of policyholder protection.

3.26  Fitness and propriety, as part of the governance of financial institutions, are covered in detail elsewhere in this book.³³ However, some short, specific remarks on fitness in the context of insurers’ governance can be made. As is clear from this chapter, the responsibility of members of the AMSB and persons responsible for other key functions, in particular concerning risk management, is very substantial. Risk management is of course (close to) the essence of insurance.

3.27  The fitness requirements concerning insurers reflect this notion by dedicating specific attention to the qualifications of members of the AMSB in this area. These requirements include a significant level of insurance-sector specific knowledge and expertise.³⁴ Members of the AMSB should collectively possess appropriate qualifications, experience, and knowledge about at least: (i) insurance and financial (p. 53) markets; (ii) business strategy and business models; (iii) systems of governance; (iv) financial and actuarial analysis; and (v) regulatory framework and requirements.

3.28  ‘Insurance and financial markets knowledge’, in this context, means awareness and understanding of the wider business, economic, and market environment in which the insurer operates and awareness of the level of knowledge and needs of policyholders. ‘System of governance knowledge’ means the awareness and understanding of the risks the insurer is facing and its capability to manage them. Furthermore, it includes the ability to assess the effectiveness of the insurers’ arrangements to deliver effective governance, oversight, and controls in the business and, if necessary, oversee changes in these areas. ‘Financial and actuarial analysis knowledge’ means the ability to interpret the insurer’s financial and actuarial information, identify key issues, put in place appropriate controls, and take measures based on the information.³⁵

3.29  Earlier in this chapter, reference has been made to ‘key functions’. Apparently, this is a more generally used concept in financial services legislation. In contrast to the current Capital Requirements Directive (CRD IV) and the current Markets in Financial Instruments Directive (MiFID II),³⁶ Solvency II is explicit as to which functions, apart from the AMSB, should at least be considered key functions.³⁷ The risk-management function and the actuarial function have already been discussed.

3.30  Apart from these functions, Solvency II also distinguishes the compliance function and the internal audit function. Many, if not most, insurers have identified in their organization these four functions as the key functions, although the Solvency II Directive does not exclude the possibility of identifying more than only these four key functions.

3.31  Identification of these functions is relevant for a number of reasons: (i) persons responsible for key functions are subject to fitness and propriety requirements; (ii) supervisory authorities should be informed of changes in respect of the persons responsible for key functions; (iii) outsourcing of key functions is subject to more stringent requirements than outsourcing of other activities or functions; and (iv) key functions are subject to specific independence requirements.

3.32  The importance of outsourcing for insurers is reflected in the attention that Solvency II dedicates to this topic.³⁸ Recently, EIOPA has reconfirmed the importance of the supervisory convergence of Solvency II requirements, including governance, risk management, and outsourcing requirements in the context of the UK’s decision to withdraw from the European Union.³⁹⁴⁰ As a general principle, insurers are entirely responsible for discharging all of their obligations when they outsource functions or insurance or reinsurance activities, irrespective of whether the activity or function has been outsourced. Solvency II does not formally limit the activities or functions that can be outsourced by the insurer, but does provide that, when outsourcing critical or important operational functions or activities, these shall not be outsourced in such a way as to lead to either: (i) materially impairing the quality of the system of governance of the undertaking concerned; (ii) unduly increasing operational risk; (iii) impairing the ability of the supervisory authorities to monitor the compliance of the undertaking with its obligations; or (iv) undermining continuous and satisfactory service to policyholders.

3.33  In the context of outsourcing, Solvency II distinguishes between outsourcing of critical and important operational functions or activities and outsourcing of other activities. This distinction is relevant for many reasons. As referred to above, in certain circumstances, outsourcing of important operational functions or activities may not take place. Furthermore, supervisory authorities should be informed timely in advance of the outsourcing of important operational functions or activities and of subsequent material developments concerning these activities or functions.

3.34  When an insurer proposes to outsource functions or insurance or reinsurance activities, it should establish a written outsourcing policy and enter into a written agreement with the service provider that complies with many detailed requirements, set out in Article 274 of the Solvency II Delegated Regulation.⁴¹

(p. 55) 3.35  The insurer should determine and document itself whether a function or activity is critical or important. The basis for that determination is whether the function or activity is essential to the operation of the undertaking as it would be unable to deliver its services to policyholders without the function or activity.⁴² Not all activities performed by a service provider fall within the scope of the outsourcing requirements. In particular, occasional or one-off provision of services to the insurer is less likely to constitute outsourcing but it might become outsourcing if the reliance on that service provider for a specific function or activity becomes more structural. While EIOPA acknowledges that it is not possible to determine a bright line of what should and need not be considered outsourcing, it does provide some guidance, as well as on which activities or functions should be considered critical or important.⁴³

3.36  It is important to note that the outsourcing requirements apply to both external outsourcing and outsourcing arrangements within the group. Individually for intra-group arrangements, the insurer should consider its ability to control and influence the activities of the service provider.⁴⁴ Also, at the level of the group, it should be documented which activities relate to which legal entity, to ensure continuity of the services to the individual entities in the group.⁴⁵

3.37  It is clear that the AMSB is ultimately responsible for the outsourced activities or functions. This responsibility is reflected in many specific requirements for the AMSB.⁴⁶ Those responsibilities include the obligation to perform a proper due diligence on the service provider on the ability, capacity, and authorizations needed to deliver the required functions or activities, management of potential conflicts of interest, the obligation to gain a proper understanding of the terms and conditions of the outsourcing arrangement, as well as data privacy and confidentiality arrangements. Furthermore, an essential element of the requirements is that both the service provider’s risk management and internal control system are adequate to comply with Solvency II requirements.⁴⁷ Moreover, the activities are also taken into account in the risk management and internal control systems of the insurer itself.⁴⁸

3.38  Remuneration policies have become a core element of post-crisis financial reforms, including in the insurance sector. While the Solvency II Directive itself, dating back to 2009, is silent on remuneration policies, the Solvency II Delegated Regulation, dating from 2015, has an elaborate provision on remuneration policies,⁴⁹ largely developed along similar lines as the CRD requirements in this respect, and complemented by EIOPA guidelines on remuneration polices and remuneration committees.⁵⁰

3.39  Specific requirements are set for remuneration of key function holders and other staff working in key functions. In some jurisdictions (e.g. the Netherlands), in the immediate regulatory response to the financial crisis, while the Solvency II framework was not yet in force, local remuneration rules, based on CRD requirements, were applied in a cross-sectoral manner to insurance companies too, also incorporating guidelines, promulgated by EBA’s predecessor, CEBS,⁵¹ as the appropriate guidance for the interpretation of local requirements.

3.40  In addition, deviations from minimum CRD requirements (in particular, a more stringent bonus cap of 20 per cent) were also imposed on insurance companies. Recently, a more sectoral approach is again being followed for insurance companies, under the influence of the entry into force of Solvency II and the development of new EBA guidelines. While the bonus cap continues to be in place for insurance companies in the Netherlands, the local remuneration framework there now relies on the directly applicable Solvency II Delegated Regulation with sector-specific guidelines (despite being developed along CRD-lines) and any guidance under the Solvency II framework, instead of CEBS or EBA guidelines.

3.41  The core business and reason for the existence of insurance companies is the assumption, pooling, and spreading of risk,⁵² in order to mitigate the risk of adverse financial consequences to individuals and businesses that are policyholders or beneficiaries of insurance policies.⁵³ A thorough understanding of risk types, (p. 57) characteristics and interdependencies, sources of risks, and the potential impact on the business is key for insurers. Therefore, the risk management system, as well as capital management, plays a key role within insurance companies and in insurance groups⁵⁴ (hereinafter, together referred to as ‘insurers’), and due to the nature of the insurance business, a very specific role. Both risk management and capital management aim to protect both policyholders and capital providers from adverse events. Consequently, the risk management system also plays a pivotal role in the system of governance of insurers and is closely linked to capital management.

3.42  The crucial role of risk management can be observed in the Insurance Core Principles (ICPs), developed by the International Association of Insurance Supervisors (IAIS). The ICPs provide a global framework for insurance supervision and dedicate various statements⁵⁵ specifically to risk management, risk governance, internal controls, and enterprise risk management for solvency purposes.⁵⁶⁵⁷ As Binder rightly observes in Chapter 2 of this volume,⁵⁸ risk-management requirements have become commonplace in European financial regulation generally, and have also been enacted concerning insurance companies.

3.43  In Europe, the Solvency II framework provides a regulatory framework for insurance supervision that is generally considered to be consistent with the ICPs. Although the Solvency II project originates from well before the financial crisis, the influence of post-financial crisis regulation can be observed. The Solvency II requirements and EIOPA guidelines, including in areas such as risk management, internal controls, outsourcing, and remuneration are detailed and prescriptive, which provides the insurer with a very significant and detailed basis of requirements for its internal organization and system of governance already. In terms of complexity, the detailed requirements promulgated under the Solvency II framework, compete (p. 58) with the CRD IV and MiFID II frameworks, albeit targeted to a large extent to the particularities of insurance companies’ business models.⁵⁹

3.44  Solvency II approaches risk in accordance with the so-called economic total balance sheet approach.⁶⁰ Unlike the previous regulatory EU framework for insurers, not only the insurance risks are taken into account for the calculation of capital requirements, all risks of insurers are taken into account. A holistic approach is taken in the supervision of insurers, whereby the different pillars of the Solvency II framework influence each other and both sides of the balance sheet may have an impact on the capital requirements: Investment in riskier assets by an insurance company may result in higher capital requirements and/or more stringent governance requirements. Weaker governance may lead to capital add-ons.⁶¹ (Risk) governance requirements for the management of assets that back technical provisions are more stringent than governance requirements for assets held to cover the minimum capital requirement and these requirements are, again, more stringent than the requirements that are held to cover the (higher) solvency capital requirement.

3.45  For insurers, subject to Solvency II, the Solvency II Directive distinguishes various elements within the risk-management system and in the system of governance more generally that are relevant in the context of risk management within insurers. In particular, the risk-management system, the risk-management function, the ORSA, and the internal control system should be mentioned.

3.46  Insurers are required to have in place an effective risk-management system⁶² comprised of strategies, processes, and reporting procedures necessary to identify, measure, monitor, manage, and report, on a continuous basis, the risks, at an (p. 59) individual and at an aggregated level, to which they are or could be exposed, and their interdependencies.⁶³

3.47  The risk-management system, therefore, has three main building blocks: strategies, processes, and reporting procedures.⁶⁴ Furthermore, insurers are also required to have in place, as part of the risk-management system, a risk-management function. The risk-management function is one of the key functions that Solvency II distinguishes. The other key functions are the compliance function, the actuarial function, and internal audit function.

3.48  Solvency II explicitly links the risk-management system to the system of governance, not only by making it clear that the risk-management system is part of the system of governance, but also by requiring that the risk-management system must be effective and well-integrated into the organizational structure and in the decision-making process of the insurer with proper consideration of the persons who effectively run the insurer or have other key functions.⁶⁵ Furthermore, the AMSB is ultimately responsible for the effectiveness of the risk-management system, setting the insurance companies’ risk appetite and overall risk tolerance limits, as well as approving the main risk-management strategies and policies.⁶⁶ The ultimate responsibility of the AMSB is emphasized by the expectation that at least one member of the AMSB is designated to oversee the risk-management system on its behalf,⁶⁷ and by the expectation that the embedding of adequate risk-management processes and procedures across the undertaking and the adequate consideration of the risks involved is provided for in all major decisions of the insurer.⁶⁸

3.49  A number of elements can be highlighted in this context: (i) the role of the AMSB in respect of the risk management system; (ii) the role of the ORSA in the risk-management system and the integration of the ORSA in decision-making processes and in the strategy; (iii) the interaction between the quantitative requirements and qualitative requirements; and (iv) the importance of documentation and internal reporting to support the system of governance.

3.50  According to the IAIS, strategies should set out an insurers’ approach for dealing with specific areas of risk and legal and regulatory obligations.⁶⁹ Article 259(1) of the Solvency II Delegated Regulation requires the risk-management strategy to be clearly defined and consistent with the insurers’ overall business strategy and requires the objectives and key principles of the strategy, the approved risk tolerance limits, and the assignment of responsibilities across all the activities of the insurer to be documented. The risk-management strategy incorporates the risk appetite of the insurer. This is the attitude of the insurer toward the main categories of risks. This risk appetite needs to be clear and detailed enough to express and reflect the strategic high-level objectives of the administrative, management, or supervisory body.⁷⁰ The AMSB is expected to give appropriate directions concerning the definition of risk appetite. Furthermore, the risk-management strategy should also be expressed in risk tolerance limits. These are the restrictions that the insurer imposes on itself when taking a risk. These restrictions effectively limit the capacity of the insurer to take risks. These restrictions can go beyond the Solvency II requirements. In addition, risk tolerance limits should take into account the insurers’ risk appetite as well as other relevant information, such as the risk profile of the insurer and the interrelationship between risks.⁷¹ The AMSB is also responsible for the approval of periodic revisions of the main risk strategies of the insurer.⁷²

3.51  As part of the general Solvency II governance requirements, insurers should have in place written policies concerning at least risk management, internal control, internal audit, and, where relevant, outsourcing. Insurers shall ensure that those policies are implemented.⁷³ The risk-management policy shall comprise policies on specific areas, mentioned in the Directive. These areas correspond with material risk types faced by insurers, such as underwriting and reserving, asset-liability management, investments (in particular derivatives and similar commitments), liquidity, and concentration risk management, operational risk management, reinsurance, and other risk-mitigation techniques.⁷⁴ The AMSB is responsible for the approval of the periodic revisions of central risk policies of the insurer.⁷⁵

3.52  In general terms, Solvency II places much emphasis on the proper documentation and reporting of processes and procedures. This notion can be found in various places in the Solvency II framework, and in general terms in Article 258 of the (p. 61) Solvency II Delegated Regulation that requires the insurer to establish, implement, and maintain effective cooperation, reporting, and communication of information at all relevant levels of the undertaking. Specifically in the context of the risk management system, Article 259 of the Solvency II Delegated Regulation requires the insurer to have in place a number of written policies of material risk categories, as well as clear definitions and categorization of risk types. Furthermore, this provision requires reporting procedures and processes to ensure that information on material risks faced by the insurer and the effectiveness of the risk-management system are effectively monitored and analysed and appropriate modifications can be made where necessary. On top of that, the persons that effectively run the insurer or have other key functions should take into account the information reported as part of the risk management system in the decision-making process. EIOPA complements these requirements in a number of areas, for instance by providing: (i) specific guidelines on the way policies should be structured, maintained, approved, reviewed, and documented;⁷⁶ (ii) specific requirements with respect to the documentation of the valuation of technical provisions;⁷⁷ and (iii) requirements with respect to data quality, in particular concerning data quality in respect of the technical provisions.⁷⁸ These are reflected in the required internal controls concerning the valuation of assets and liabilities more generally.⁷⁹ In addition, in respect of the internal control system, specific mention is made of appropriate (administrative and accounting) procedures, as well as appropriate reporting procedures.⁸⁰

3.53  As part of the risk-management system, insurers are required to have in place a risk-management function, as the Solvency II Directive describes it: ‘to facilitate the implementation of the risk management system’. The risk-management function is responsible for assisting management in the effective operation of the risk-management system, monitoring the risk-management system, monitoring the general risk profile of the insurer as a whole, reporting on risk exposures, and advising management on risk-management matters, including in relation to strategic affairs, such as mergers and acquisitions and major projects and investments, and identifying and assessing emerging risks. Furthermore, the risk-management function has a number of additional tasks in case the insurer uses a partial or full internal model for the calculation of its capital requirements. In addition, the risk-management function is required to liaise closely with the users of the outputs of the internal model and to cooperate closely with the actuarial function.

3.54  The actuarial function is a function specific to insurers, and as such, part of the system of governance of insurers. One of the key tasks of the actuarial function is the coordination of the calculation of the technical provisions. Solvency II does not specify who should be doing the actual calculation of the technical provisions, as long as there is a clear allocation and appropriate segregation of responsibilities to ensure independent scrutiny and validation of the technical provisions.⁸¹ Furthermore, the actuarial function is responsible for the assessment of the data quality of both the internal and external data used in the calculation of the technical provisions, as well as the testing against experience of the technical provisions.⁸²

3.55  Insurers should, as part of their business strategy, regularly assess their overall solvency needs in accordance with their own risk profile. This process is referred to as the own risk and solvency assessment (ORSA).⁸³ The ORSA process does not, however, serve to calculate a solvency requirement different from the one that the insurer calculates following Solvency II requirements. The results of the ORSA could prompt an insurer to reassess the calculation of its capital requirements but might, instead, also result in alternative measures, such as changes in the risk profile of the insurer or changes in its system of governance. It would be easy to assume that the ORSA is primarily a reporting obligation or a mere compliance exercise, but that would disregard the key position that is given to the ORSA process in the context of Solvency II.

3.56  The ORSA should be integral to the business strategy and the strategic decisions of the insurer. As such, the ORSA is a central element in the governance of an insurer. The results of the ORSA are expected to contribute to decisions regarding the risks the insurer is prepared to retain or transfer, how to optimize capital management, pricing of products, and other strategic decisions.⁸⁴ The insight gained from the ORSA should also be taken into account by the AMSB in the medium and (p. 63) long-term capital planning of the insurers, taking into consideration the business and strategy the insurer has decided upon.

3.57  Given the key role the ORSA plays in the governance of the insurer, it is not surprising that the role of AMSB is also expressly dealt with in the Solvency II context. In its guidelines on the ORSA, EIOPA describes the role of the AMSB as a ‘top-down-approach’, whereby the AMSB is supposed to take an active part in the ORSA process, should steer the ORSA process and how it is performed, and has a role in challenging the results of the ORSA. Active involvement of the AMSB in the ORSA process is therefore expected. EIOPA is fairly explicit in the importance of the ORSA process as a management tool. The ORSA is supposed to provide the AMSB with a comprehensive picture of the risks the insurer is exposed to or (forward looking) could face in the future. It should enable the AMSB to understand the risks, translate risks into capital needs or the application of risk mitigating techniques (such as reinsurance). Furthermore, using the ORSA as a starting point, it forms the basis for the AMSB for instructions on management actions if specific risks were to materialize.

3.58  The internal control system appears, considering the structure maintained in the Solvency II Directive, to be distinct from the risk-management system but is closely related to it and plays a crucial role in the system of governance of insurers.⁸⁵ In fact, the requirements for the internal control system are referred to and consequently made part of the general requirements concerning the system of governance.⁸⁶ The purpose of the internal control system is to ensure the insurers’ compliance with applicable laws, regulations, and administrative provisions and the effectiveness and efficiency of the insurers’ operations in light of its objectives as well as to ensure the availability and reliability of financial and non-financial information. At least, the internal control system must include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the insurer’s undertaking, and must include a compliance function. Conceptually it is quite odd that Article 46 of the Solvency II (p. 64) Directive identifies specifically the compliance function as part of the internal control system. The other key functions that can equally be considered to be part of the internal control system of an insurer are not explicitly mentioned in the context of the internal control system. Section 2 of Chapter IV of the Solvency II Directive dedicates a specific provision to each of the other key functions, without explicitly referencing to the internal control system.

3.59  EIOPA conceptually breaks down internal controls into various aspects: (i) an internal control environment; (ii) internal control activities; (iii) communication; and (iv) monitoring.⁸⁷ These aspects are not discussed in this chapter in detail but it should be highlighted that, in this context, EIOPA emphasizes the importance of the awareness of all personnel of the insurer of their respective roles in the internal control system, the responsibility of the insurer to promote this awareness, and the reliance of an adequate internal control system on a high level of integrity in the organization. The internal control system should be fully embedded in the insurers’ culture and any policies and practices that may provide incentives for inappropriate behaviour should be avoided.⁸⁸

3.60  Solvency II devotes specific consideration to internal controls of the valuation of assets and liabilities. Insurers are expected to establish, implement, maintain, and document clearly defined policies and procedures for the process of valuation, including a description of roles and responsibilities of the personnel involved with the valuation, the relevant models, and the sources of information used.⁸⁹ More detailed requirements set out the elements that should be included in internal control processes.⁹⁰

3.61  As indicated above, Solvency II takes a holistic approach to the regulation and supervision of insurers. Therefore, it is not surprising that in the Solvency II requirements and accompanying EIOPA guidelines, quantitative and qualitative requirements are closely linked. Capital requirements, own fund requirements, and investment requirements, which by nature are primarily quantitative requirements, are supported by qualitative requirements, including governance requirements. (p. 65) This is in line with the general guidance supporting IAIS ICP 15.⁹¹ The IAIS considers that financial requirements are not sufficient by themselves to ensure solvency and, therefore, should be complemented with appropriate quantitative or qualitative requirements limiting/regulating the investment risks that are taken by the insurer.⁹² In establishing such requirements, one of the factors that may be included is the overall quality of risk management and governance frameworks in the insurance industry in the jurisdiction.⁹³

3.62  Unlike earlier generations EU insurance directives, under the Solvency II framework, insurers are no longer subject to hard legal investment restrictions or requirements.⁹⁴ Instead, insurers have the freedom to invest in any category of asset without prior approval of systematic notification requirements to supervisors.⁹⁵ The freedom of investment is complemented by the ‘prudent person principle’, according to which insurers are required to invest their assets with prudence.⁹⁶ Prudence, in this context, has various dimensions. In the first place, it means that insurers can only invest in assets and instruments whose risks it can properly identify, measure, monitor, control, and report, and can appropriately take into account in the assessment of the overall solvency needs of the insurer. Furthermore, all assets, in particular, those covering the lower and higher solvency requirement (the Minimum Capital Requirement (MCR) and the Solvency Capital Requirement (SCR) shall be invested in such a manner as to ensure the security, quality, liquidity, and profitability of the portfolio as a whole. Besides, localization of those assets shall be such as to ensure their availability. Assets held to cover technical provisions (i.e. those assets that correspond most directly to the insurance liabilities) shall be invested in a manner appropriate to the nature and duration of the insurance liabilities. Moreover, these assets shall be invested in the best interests of all policyholders and beneficiaries, taking into account any disclosed policy objective. In case of conflicts of interest, the investments need to be done in the best interests of policyholders and beneficiaries. It is important to note that, according to EIOPA, the features of security, quality, liquidity, and profitability apply to the portfolio as a whole and not to individual investments in the portfolio, but they should, finally, (p. 66) contribute to the security, quality, liquidity, and profitability of the portfolio as a whole.⁹⁷

3.63  Specific arrangements have been made in the Solvency II framework for assets held in respect of life insurance contracts where the investment risk is borne by policyholders, or where the benefits are linked to certain investment funds.

3.64  As follows from the above, the freedom of investment and prudent person principle emphasize the need for strong governance of the assets and instruments held by insurers. The insurer is itself responsible for setting prudent limits in its investment portfolio for specific investment categories, without prescribed regulatory limits to stay within. Moreover, the insurer should define its own risk appetite, but pursuing more risky strategies might result in stronger governance and/or higher capital requirements.

3.65  In fact, EIOPA has developed, as part of the guidelines for the system of governance, specific guidelines on the prudent person principle and the system of governance.⁹⁸ EIOPA clarifies in this context that the prudent person principle is as much a behavioural standard as an assessment of judgements and investment decisions. According to EIOPA, prudence is to be found in the process by which investment strategies are developed, adopted, implemented, and monitored in light of the purposes for which funds are managed, as well as in the outcomes. EIOPA emphasizes the importance of: (i) due diligence and process in respect of investment decisions; (ii) care, skill, and delegation; (iii) duty to monitor; (iv) duty to protect policyholders’ and beneficiaries’ interest; and (v) the principle of delegation.

3.66  The level of skills and expertise that is expected to fulfil the prudent person principle may require the insurer to obtain external advice or to delegate specific tasks to external parties with the required skills. Nevertheless, the insurer remains responsible for the delegated tasks and monitoring and reviewing these activities to ensure that they are being carried out appropriately and prudently. The insurer should also assess any conflicts of interests or misalignment of incentives that may exist or arise when delegating tasks.

3.67  As part of the system of governance, insurers are required to develop a capital management policy. In addition, insurers should develop a medium-term capital management plan. The role of the AMSB in respect of the medium-term capital management plan is described in some detail by EIOPA.⁹⁹

(p. 67) 3.68  The AMSB should monitor the medium-term capital management plan; both its development and maintenance. The frequency with which the AMSB needs to consider the plan depends on the specific circumstances of the insurer, including but not limited to:¹⁰⁰ (i) the stability of the insurer’s business model and projections; (ii) the frequency of planned capital issuance, repayment, and redemptions, and other factors affecting own funds including the performance during the year; (iii) the extent to which own funds exceed the SCR and the assessment of capital needs identified when the ORSA was performed; and (iv) the extent to which available own funds exceed, or are close to, the limits applying when determining eligible own funds.

3.69  In this manner, Solvency II allows for different business models and capital management strategies, but at the same time links these to governance requirements matching such business models and strategies.

3.70  The interests of both shareholders and management may diverge from the interests of policyholders.¹⁰¹ Policyholders and insurance beneficiaries are also a dispersed group, with little power to compel insurers and their management to take specific action, as they may be in a weak position to contest the settlement of claims or dormant life assurance policies. Life insurance establishes contractual relations over many years between an insurer and the life policyholder or the latter’s beneficiaries, which is similar in many respects to the ‘fiduciary’ relationships of pension funds. In the non-life business, taking account of a shorter time horizon, the potential divergence of interests between insured and insurer originates from the discretionary power of management concerning claims settlement.

3.71  This possible divergence arises from the value-maximization objective of shareholders and management and may take the form of inadequate technical provisions, unfair claims settlement outcomes, or inequitable profit distributions to participating policyholders. Thus, the European legislation designs and implements a system of governance of the insurance firm oriented to care for the best interests of policyholders. This combines with a supervisory expectation that firms and their corporate governance system—including the board of directors—take into account the interests of policyholders in their decision making.