Insurers’ risk and capital models have tended to be seen as a ‘black box’, with limited understanding and involvement from boards and business teams. As the models are opened up to supervisory scrutiny under Solvency II, they will need to meet more exacting demands of governance and assurance.
This includes demonstrating that the source data is of sufficient quality; that the design, development and operation of the models are properly controlled and that senior management has a reasonable understanding of the models’ workings and outputs. While clearly challenging, meeting these requirements is an opportunity to bring the models out of the shadows, strengthen their credibility within the business and hence make them a more effective decision support tool.
Insurers will have to demonstrate to their supervisors that the data they use is sufficiently complete, accurate and appropriate for their specific needs. The critical word here and the one that will require the most thought and work is ‘demonstrate’.
Even firms that have invested in data warehouses and other sophisticated data retrieval systems face a considerable challenge in demonstrating to supervisors that they understand and are managing their data quality, and are providing the right kind of evidence and documentation to support this.
While the focus of the Committee of European Insurance and Occupational Pensions’ (CEIOPS) data quality standards is the technical provisions and the Solvency Capital Requirement (SCR), regulators will expect insurers to adopt a consistent approach to data quality across their Solvency II programme.
‘Firms must improve their data management and quality – we will assess firms’ plans and ensure that their project planning is robust early in the pre-application stage.’
Source: UK Financial Services Authority ‘Solvency II IMAP Update’, April 2010
Solvency II requires some specific documentation, such as a data quality policy describing the company’s interpretation of the data quality criteria. The company will also need to outline its system of data quality management, that is, how the requirements will be embedded within the organisation. In addition, insurers will be expected to maintain a data directory, outlining the source, characteristics and usage of the data.
However, to truly apply a consistent approach to data quality across the organisation, the policy and directory should form part of a systematic approach, which should also include appropriate governance arrangements and clarity around the responsibilities of those who produce and consume the data. Supervisors will expect insurers to regularly review data used in their solvency calculations and show that not only is the data of the required quality, but that the required standards remain appropriate and up to date.
What this is likely to require in practice is an understanding of the data used to feed the technical provisions and SCR (either through an internal model or the standard formula). This should include the impact of individual data items and data sets on the calculations, and hence how the quality criteria of accuracy, completeness and appropriateness can be applied.
Once these are understood, a company can focus on the risk of not meeting the defined quality criteria, and hence the controls and monitoring that will need to be in place to ensure deficiencies in data are identified and addressed. For some data, it may be necessary to understand the flow from its use in the model right back to the point where it is captured. This understanding should include the feeder systems, the controls in place across the business and areas where the information is subject to expert judgement, along with details of any interfaces between systems.
Insurers will also have to ensure that external data meets the same standards of quality and verification as internally sourced information, which is likely to require close liaison with reinsurers, coverholders, brokers, asset managers, outsourcers and joint venture partners.
Key challenges include embedding data governance and data quality management within the business, and ensuring that key stakeholders understand the objectives of data quality management. Companies will also need to allow enough time to verify and, where necessary, rectify the controls, processes and content of what may be a significant number of data fields.
Providing evidence that your data is of the right quality is therefore likely to be a difficult and time-consuming challenge, and needs to focus on how data quality management becomes embedded into business as usual, rather than being a one-off exercise for Solvency II. Figure 1 highlights the key areas of focus for the data workstream for Solvency II, ensuring that it delivers the processes for governance and management of ongoing data issues, as well as the immediate assessment of data quality and identification of current data deficiencies.
The potential benefits of this process are wide-ranging and can include the identification of deficiencies or inaccuracies that may have gone undetected up until now. Some companies are also using Solvency II as the catalyst for the development of a common data governance approach across the business or a common data platform covering all of their models, including pricing, ALM and financial reporting, as well as risk, economic capital and other economic indicators (e.g. embedded value). The advantage is a consistent and verifiable single source of information, which can greatly enhance the effectiveness of management information and assure supervisors that the risk and capital model is fully integrated into business decision making (as required by the Solvency II ‘use test’). The use of a common data platform for different models can in turn demonstrate the company’s confidence in the models’ usefulness and reliability.
Up until now, risk and capital models have tended to be developed and operated in a relatively unsystematic way and have not been subject to the kind of formal controls seen in core business systems such as policy administration or accounting. In turn, while senior management needs to understand the model outputs, they have not needed to know too much about the model itself. This is all about to change as effective model control becomes a key aspect of internal model approval and overall compliance and model transparency throughout the organisation becomes more important.
Figure 2 outlines the key requirements for model control under Solvency II. Senior management will be directly responsible for the calculation of the key risk indicators. This includes being able to explain the main operational features of the model, understand its limitations and ensure that outputs are produced on time. In line with the Solvency II use test, they will also need to demonstrate sufficient faith in the inputs, outputs, operations and controls to use the models as a key basis for supporting their decisions. If senior management do not trust the model outputs, why should the supervisor?
Today’s relatively informal approach to model development will need to become much more structured and rigorous. This includes separation of development and testing and introducing a more methodical approach to model testing. Companies will also be expected to put in place systematic production and operational controls, including process documentation, auditability and reproducibility.
Finally, there needs to be ongoing validation to ensure that the model remains fit for purpose. This includes regular sensitivity, benchmarking and scenario analysis to gauge whether the model and its assumptions genuinely reflect the risks faced by the business. Models will also require independent validation to ensure an objective challenge to the internal model.
The oversight, verification and documentation demands of Solvency II will greatly increase the pressure on resources. The strain on already hard-pressed modelling capabilities will be further intensified by the increased frequency of regulatory reporting and steadily reduced turnaround times for reporting under Solvency II (see Countdown to Solvency II article ‘Up to speed with reporting’).
Without greater automation of risk and capital evaluation (see Countdown to Solvency II article ‘Industrialising Solvency II: Delivering sustainable business benefits’), the required control infrastructure could prove very difficult and extremely costly to maintain. There is a particular need to minimise the use of spreadsheets, which encourage manual intervention, heighten the risk of error and require the kind of qualified personnel that are in increasingly short supply.
Investment in greater automation would not only soon pay for itself through improved efficiency and cost-effectiveness, but also enable modelling teams to devote more time to providing better business insight. It would also provide a useful foundation for realising the potential synergies between Solvency II and the planned new IFRS for insurance contracts (see ‘Getting to grips with the shake-up’).
Under Solvency II, boards will be expected to understand and trust their risk and capital models. These have tended to be the preserve of actuaries and will now be subject to a much more systematic and structured governance framework. While clearly demanding, this is an opportunity to instil greater confidence in the models and hence secure the wider organisational buy-in that many models, however sophisticated, have often lacked. The basis for effective control is a clear understanding of where the data comes from, who is responsible for its accuracy, how the model uses this data and knowing that the results stand up to external validation and scrutiny. The people who use this information are the best judges of whether the results are sound and therefore should be directly responsible for ensuring that the mechanism for control is up to scratch.
www.pwc.com
© 2010 PwC. All rights reserved. "PwC" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.