CEIOPS General Governance Requirements incl some examples from insurers Morten Thorbjörnsen, Financial Supervisory Authority of Norway Malta, April 8th 2010 Page CEIOPS ”The gods strike back” Feb 13th 2010 ”The idea that markets can be left to police themselves turned out to be the world’s most expensive mistake, requiring $15 trillion in capital injections and other forms of support ”… ……”Another lesson was that managing risk is as much about judgement as about numbers.” Page CEIOPS Outline for presentation on General Governance Requirements • Brief: The Norwegian FSA – organization, main tasks • Governance concepts (corporate , internal , general , …) • Board of Directors’ responsibilities – Risk Management • General governance as defined in art 41 of Directive 2009/138/EC • Cases – examples of bad governance, from Nordic insurance • Norwegian financial supervision / regulation on internal controls & general governance – pre-Basel & pre-Solvency • Present status of regulatory framework in Norway – insurance specific and common approaches/tools for banking & insurance • Case study– Norwegian insurer: organizational framework for internal governance – present model and planned adaptation to Solvency • Bank & insurance : Convergence of supervisory approach to general governance • The way ahead – incl the 3L3 task force on internal governance Page Finanstilsynet – the Financial Supervisory Authority of Norway Entities under supervision - Banking and finance - Insurance and pension - Banks (140) - Financial companies (60) - - FFSSAA –– aauutthh NNOO: :InIntte eg oo 225500 rritithhyyininN grraateteddssu up ++e m N pploloyy oorrwwaayyss peerrvvisisoorry (H (Heerer em ini ee y eoof:f:a appppr.r eess, ,aall lin nccee119988 i 66 5500b baannkki nOOsslolo ning g, ,3388 ininssuu rarannc cee) ) Securities markets - - Life insurers (12) Non-life ins.companies & local fire ins.assoc (78) Insurance intermediaries (200) Pension funds (115) CEIOPS Investment firms (150) Mgm companies for sec funds (26) Clearing houses (4) Regulated markets, incl Stock exchanges (6) Estate agencies Debt collection agencies Auditors External accountants Page CEIOPS FSA, Norway – organization The Board Director General Administration Personnel and Organisation Strategy and Finance ICT (Internal) Records Management and Archives Finance and Insurance Supervision Staff Licensing, Laws and Regulations Analysis and Reporting Banking Supervision Staff: General Counsel Head of Communications Head of International Relations Special Adviser / Controller Executive Secretary Board Secretary Accounting and Auditing Supervision Financial Reporting Supervision Financial Reporting Financial Auditors Reporting and Supervision External Supervision Accountants IT Supervision IT Supervision Capital Markets Supervision Staff Securities Institutions Market Conduct Estate Agencies and Brokers, Debt Collection Firms Insurance Supervision Solvency Regulation and Risk Models Page CEIOPS Norway participates in several EU-fora, through membership in the EEA – European Economic Area • Observer in CEBS, CEIOPS, CESR and JCFC • Participates in most working groups under the level committees • Participates along with or on behalf of the Ministry of Finance in a number of the committees at level and working groups chaired by the EU Commission: – European Banking Committee, European Insurance and Occupational Pensions Committee, European Securities Committee, European Financial Conglomerates Committee – Expert groups on specific issues Page CEIOPS The main objectives of financial supervision are: • Preserve stability in the financial market • To verify compliance with rules and regulations • Ensure adequate solidity /solvency of institutions • Develop regulations and supervisory practices to promote high quality of risk management and control systems • Consumer protection Page CEIOPS Various concepts of governance • Corporate governance • Internal governance • General governance Page CEIOPS Corporate Governance • Corporate governance (CG): • “ involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined Good corporate governance should provide proper incentives for the board and management to pursue objectives that are in the interests of the company and shareholders and should facilitate effective monitoring, thereby encouraging firms to use resources more efficiently” (OECD Principles of Corporate Governance 1999) • A supervisor’s view - different aspects of Corporate governance: – Owners’ perspective – the objective of having efficient capital markets – Solvency perspective – the objective of financial institutions having a conduct and solvency to secure their continous access to capital markets – Governance and control – the objective of institutions having a risk management and internal control system which can secure effective and efficient operations Page CEIOPS Internal Governance • The Committee of European Banking Supervisors – CEBS has set out it’s guidelines for internal governance: • Guidelines on the Application of the Supervisory Review Process under Pillar • With particular emphasis on – risk control – compliance – internal audit Page 10 CEIOPS The Board of Directors’ responsibility for risk management and internal control The board of directors shall ensure the institution has appropriate systems for risk management and internal control, including: ensuring a clear division of responsibilities between the board and the day-to-day management ensuring the institution has a clear organisational structure, setting goals and strategies for the institution, and general guidelines for its activities (stating) the risk profile the institution stipulating principles for the institution's risk management and internal control ensuring the risk management and internal control are established pursuant to legislation and regulations,… decisions, … ensuring the risk management and internal control are implemented and monitored, deciding whether or not the institution should have an internal audit function… evaluating the board of directors own work and competence in relation to the institution's risk management and internal control at least once a year Norwegian Regulations on Risk Management and Internal Control (2008) Page 23 CEIOPS Important, ”emerging” issues in BoD work • NPEP-processes: Board’s involvement in risk assessment before launching new products, i.e including risks to institution and to customers, - also reputational risk • Self assessment of BoD competence and activity, extra challenge for smaller, local institutions, - coping with quantity of new, complex legislation • Remuneration policy & practices Page 24 CEIOPS Importance of Board dialogue and involvement in On-site supervison 2) Bank forwards written DOCUMENTATION weeks 3) FSA undertakes ONSITE INSPECTION weeks 1) FSA-letter to notify ON-SITE INSPECTION to bank’s BoD weeks 6) FSA gives FINAL REPORT to bank’s BoD (publ.access) weeks weeks 5) BoD gives written REPLY 4) FSA gives PRELIMINARY REPORT to bank’s BoD (exempt publ.access) Page 25 CEIOPS Off site supervision – some Pilar experiences from supervision of Norwegian banks • ICAAP – the Basel equivalent of ORSA - very useful exercise – for banks and for supervisory authority,particularly year of ICAAP-submission • Full, written response to ICAAP from FSA-NO to all banks, stressing i.a importance of BoD involvement • FSA-NO has developed and published on our web-site risk modules specifying our procedures for evaluating the various risk areas in banking and in insurance (assessing risk exposure and internal control & governance) – developed primarily as our on-site working-tool, but serves as guidelines for industry in developing their control environment Page 26 CEIOPS Governance framework Gjensidige Insurance, Norway Board of directors / Audit Committee Group Management Group Risk Committee ORSAprocess Internal Audit Operational Management ORSAreport Chief Risk Officer Actuary Internalmodel line Executes risk management and internal control Compliance line Considers, monitors, surveys, - gives advice & quality assurance, quantifies & aggregates risk line Audits framework for risk management and internal control, reports to Board of Directors Page 27 CEIOPS ”Three lines of defence” – new tasks & responsibilities [1] First line: Board of directors – Sets risk appetite with clear links to strategy – Approves ORSA, SFCR and RTS Group management – Prepare and present ORSA to BoD – Presents SFCR and RTS for BoD’s approval Page 28 CEIOPS ”Three lines of defence” – new tasks & responsibilities [2] Second line: Chief Risk Officer [CRO] – (group level and subisidiaries) – Participates in ORSA,SFCR & RTS process – Checks appropriateness og system for RM & Internal control, - participates in updates and control of internal models Actuary – More formal and more extensive statements on reinsurance and UW – QA of calculations and assumptions in internal models – Assurance of consistency and validity of data for reserve calculations Compliance Officer [CO] – Testing and reporting on compliance risk – Responsibility for CO-tasks in subsidiaries Page 29 CEIOPS ”Three lines of defence” – new tasks & responsibilities [3] Third line: Internal Audit [IA] – Checks line fulfilment of tasks and testing of compliance – Audit of ORSA and internal models NB! Solvency will require all insurance companies to have an Internal Audit- function, – under present Norwegian regulation only the larger companies (with total assets > appr EUR 1,2 billion) were required to have IA Page 30 CEIOPS Some lessons learnt in the Soc Gen case (Rogue trading) - general governance & internal controls – • Failed segration of duties at all levels of control (front/middle/back) • Lack of IT-related controls (change of passwords) • Weak business routines (minimum weeks consecutive holiday) • Inadequate reporting (counterparty limits, exceptional cases) • Weak escalation processes (lack of consequences, no follow-up of signals) Source: CEBS July 2008: A summary of the results of stock-take of banks’ and supervisors’ reactions to the operational risk loss event at Société Générale Page 31 CEIOPS The hazards of inductive knowledge Bertrand Russell, 1872-1970 January 2008 Société Générale trading loss incident Appr € 4.9 billion variable Disaster ! AMA approval ”Best in the world on risk mng” time Risk Magazine Page 32 CEIOPS Lessons learnt… • Lessons for supervisors • SG had just had their AMA-model approved by supervisors, • Awards for best governance… Page 33 CEIOPS Main Common & Specific Risk Factors Banking vs Insurance SPECIFIC RISK FACTORS BANKING SPECIFIC RISK FACTORS INSURANCE Underwriting Risk Credit Risk Liquidity Risk Other Banking Risks Market Risk Reputational Risk Operational Risk (IT, Fraud, HR, External etc) Legal Risk Reinsurance Risk Asset / Liab Matching Risk Other Insurance Risks (Underprovisioning, Actuarial, etc.) Page 34 CEIOPS Several cross sector initiatives to integrate regulations and supervisory practices • Principles for enhancing corporate governance (Basel committee - BCBS 168) – P.2: … a number of corporate governance failures and lapses, many of which came to light during the financial crisis that began in mid-2007 These included, for example, insufficient board oversight of senior management, inadequate risk management and unduly complex or opaque bank organisational structures and activities – P 4: Many of the corporate governance shortcomings identified during the financial crisis that began in mid-2007 have been observed not only in the banking sector but also in the insurance sector Page 35 CEIOPS Several cross sector initiatives… • 3L3 TASK FORCE ON INTERNAL GOVERNANCE (TFIG) Crosssectoral stock-take and analysis of internal governance requirements - a joint report by CEIOPS, CEBS & CESR – to identify areas where harmonisation might be required, – Identified areas where some guidance would be beneficial, incl.: • Management of conflicts of interest; • Policies, processes and procedures related to the risks covered by the risk management systems; • How the risk management, compliance and internal audit functions might be “independent” in the light of their different sectoral requirements; • The supervisory review process Page 36 CEIOPS Thank you Morten Thorbjörnsen, FSA - Norway mot@finanstilsynet.no Page 37 ... protection Page CEIOPS Various concepts of governance • Corporate governance • Internal governance • General governance Page CEIOPS Corporate Governance • Corporate governance (CG): • “ involves a... on internal governance Page Finanstilsynet – the Financial Supervisory Authority of Norway Entities under supervision - Banking and finance - Insurance and pension - Banks (140) - Financial companies... diversity); - risk oversight (Risk Committee); - cooperation with supervisors • Risk management - improve the standing and the authority of risk management; - improve the flow of information on risk; -