Own Risk and Solvency Assessment




(1)
Johannes Gutenberg University, Mainz, Germany

 




Abstract

The own risk and solvency assessment under art. 45 of the Solvency II Directive forms the subject of this chapter. Initial attention is given to clarifying the role of ORSA in the insurance supervisory regime and the principles applicable to it. Then follows a discussion of the relationship of ORSA to the risk management function as well to the other key functions under the insurance supervisory regime. In conclusion, the chapter addresses, inter alia, the documentation, the public disclosure, and the supervisory powers involved in an ORSA procedure.


First published as “Die unternehmenseigene Risiko-und Solvabilitätsbeurteilung (ORSA) nach Solveny II und VAG 2012” [in English: Own Risk and Solvency Assessment (ORSA) under Solvency II and the VAG 2012 [German Insurance Supervision Act 2012]], VersR (2012), 129 ff. with Christoph Ballmaier as coauthor. Christoph Ballmaier was at that time a research assistant at the law school of Johannes Gutenberg University in Mainz.



5.1 Introduction


Under art. 45 of the Solvency II Framework Directive,1 each insurance undertaking will be required to conduct its Own Risk and Solvency Assessment in the future.2 The ORSA process has been designed to be part of the risk management system of an insurance undertaking. Detailed rules on the ORSA process are not provided in the draft of the implementing regulation (Level 2).3 , 4 In November 2011, however, the EIOPA5 published a Consultation Paper on the design of Level 3 measures for the ORSA process.6 This Consultation Paper largely excludes both the role of supervisory authorities and their power with respect to Own Risk and Solvency Assessment.7 Many details on integration of the ORSA process into the organizational structure and existing processes within the insurance undertakings remain to be clarified. The EIOPA’s statements primarily center on the objectives of the ORSA and not on its implementation and execution.8

Insurance undertakings will enter unexplored legal territory with the introduction of the ORSA, and thus numerous legal questions arise. Due in part to the ambitious time frame for implementing Solvency II,9 these questions must be addressed in order to ensure the proper conversion of art. 45 of the Solvency II Framework Directive into national law as well as swift and legally correct adoption of the ORSA process by insurance undertakings. A new sec. 28 of the VAG [German Insurance Supervision Act] will implement relevant paras. 1 through 5 of art. 45 of the Solvency II Framework Directive into national law10; and para. 6 on the reporting obligations of insurance undertakings to the BaFin [Federal Financial Supervisory Authority] will be implemented by a new sec. 44, no. 8 of the VAG [German Insurance Supervision Act], accompanied by implementation measures from the European Commission.11 The declaratory paragraph 7 is not taken up in the ministerial draft of the law.12

The ORSA’s origin from within the Solvency II system is important to understanding it from a legal point of view. The present article therefore begins with the role of the ORSA in the new Solvency II regime (5.2) as a precursor to illustrating the principles underlying an ORSA (5.3). The article then frames the ORSA more precisely within the risk management function of an insurance undertaking (5.4) and examines the relationship of the ORSA to both the actuarial function and the calculation of regulatory capital requirements (5.5). The roles of the compliance function and internal audit for the ORSA also are worthy of attention (5.6). A number of individual issues related to the ORSA are also addressed (5.7), along with documentation and duties of disclosure in connection with the ORSA (5.8). Finally, the powers of the supervisory authorities with respect to the ORSA are examined (5.9).


5.2 Subject-Matter and Objective of the ORSA


Recital 36 of the Solvency II Framework Directive emphasizes the prominent role of regular self-assessment of overall solvency needs with respect to the individual risk profile of each insurance undertaking. The ORSA is the logical consequence of the principles-based supervision that Solvency II targeted, however unsuccessfully, with the four-level system. Its intention is to confer more direct responsibility to insurance undertakings for meeting the requirements of financial supervision law.13

Thus, from the perspective of the undertaking, the ORSA is an internal tool for estimating the overall solvency needs expected in the short and long term. On the other hand, from the perspective of the supervisory regime, it is a source of information for the insurance supervisory authorities.14 The Issues Paper on Own Risk and Solvency Assessment from CEIOPS defines the ORSA as the entirety of the processes and procedures employed to identify, assess, monitor, report, and manage short and long term risks, and to quantitatively determine and meet own funds requirements.15 The ORSA is therefore composed of a qualitative and quantitative component.16 In its analysis, the ORSA is also supposed to include risks that have not already been accounted for based on the requirements of the standard model or of any approved internal model used.17

Under art. 45, para. 5 of the Solvency II Framework Directive, the ORSA should be conducted on a regular basis—at least once a year or as otherwise appropriate based on the risk profile of the insurance undertaking, according to EIOPA18 and the Statement of Grounds for the Ministerial Draft,19—and additionally “following any significant change in the risk profile”. Whether a change is “significant” in this sense depends on the individual case.20 With respect to the role of the ORSA in risk management, significance can be assumed if, based on prior evaluation, doubt exists that the ORSA conducted most recently still accomplishes its functions stated above.


5.3 The Solvency II Legal Principles Applicable to the ORSA


The ORSA is part of the new risk management system within the meaning of Solvency II. All of the principles underlying Solvency II therefore apply. The existence of the ORSA concept is chiefly the result of the principles-based approach to supervision.21 This concept rests on the assumption that an increase in regulation does not facilitate the adequate recognition of risks nor can it keep pace with the dynamics of financial markets.22

The Solvency II Framework Directive is shaped in particular by the principles of materiality and proportionality. According to the former, only risks that are material to the risk status of the insurance undertaking should be considered in the risk analysis. The assessment as to which risks should be viewed as material is essentially left to the insurance undertaking.23 This is consistent with the current concept in sec. 64a of the VAG [German Insurance Supervision Act] in conjunction with the explanatory MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)]24 and the future secs. 27 ff. in the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]. The materiality principle entails regular review of the criteria that insurance undertakings apply to determining the significance of risks.

According to the principle of proportionality in art. 29, para. 3 and Recital 19 of the Solvency II Framework Directive, which in its partial implementation25 is presumably reflected only in the context of the exercise of the supervisory authority in sec. 290 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]—and thus is not sufficiently anchored in the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] as far as the ORSA is concerned—the complexity of an ORSA must be aligned with the complexity of the business model and the risk status of the insurance undertaking.

CEIOPS emphasized that the principle of proportionality can have impact in two directions.26 Undertakings with simple business models can conduct a simple ORSA. But with increasing complexity in the business model, a sufficiently comprehensive ORSA must be used.27

Under art. 45, para. 4 of the Solvency II Framework Directive, the results of an ORSA are to “be an integral part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the undertaking”. The ORSA, therefore, cannot be divorced from the business strategy. If fulfillment of the requirements of art. 45, para. 4 of the Solvency II Framework Directive is subject to supervision, the business strategy is then indirectly also subject to review. Taken on its own, the coupling of a legally required ORSA with the business strategy impacts the proprietary function of all (insurance) undertakings in an economic and legal system based on entrepreneurial freedom. Added to this is a supervisory responsibility that includes this strategy-based ORSA. Against this background, a question requiring special emphasis concerns the boundaries between business autonomy and the outside influence of the state in determining, amending, and implementing the business strategy.28


5.4 The ORSA and the Risk Management System



5.4.1 The European Law Framework


In its legislative design, the ORSA is part of the risk management system classified under Pillar 2 of Solvency II.29 But the ORSA also pertains to some measures that are attributable to Pillars 1 and 3 of Solvency II.30 For example, according to art. 45, para. 6 of the Solvency II Framework Directive, the results of an ORSA must be disclosed to the supervisory authority in the report required under art. 35 of the Solvency II Framework Directive (Pillar 3). Quantitative matters, which are actually categorized under Pillar 1 of the three-pillar concept, must also be addressed in the ORSA process, particularly as the overall solvency requirements must be presented both quantitatively and qualitatively.31 As Recital 36 and art. 45 of the Solvency II Framework Directive, as well as the papers published by CEIOPS and now EIOPA indicate, the ORSA is not simply a matter of documenting and communicating a result. The ORSA is designed in such a way that its implementation will also have a significant effect on the internal and external conduct of insurance undertakings.32 This result flows not in the least from the obligation to assess whether the undertaking continuously ensures compliance with the solvency capital requirement in accordance with art. 45, para. 1, subpara. 2 b of the Solvency II Framework Directive.33

Under art. 45, para. 4 of the Solvency II Framework Directive, ORSA has considerable influence on the governance of an insurance undertaking. This is so because ORSA is presumed to be an integral component of the business strategy and must be taken into account in making strategic decisions.34 Most importantly, a certain amount of interaction between the ORSA and the business strategy established by management is supposed to transpire: On one hand, the business strategy and the determination of risk appetite of an insurance undertaking defines the ORSA process, since the ORSA is based on their assessment.35 On the other, business strategy is supposed to be based on the results of the ORSA.36 Further the ORSA sets boundaries for asset management. Under art. 132, para. 2 of the Solvency II Framework Directive,37 investment is permitted only in financial instruments that can be considered adequate to the undertaking’s self-assessment of its risk profile and solvency. In November 2011, EIOPA published a Consultation Paper on implementation guidelines at Level 3. The guidelines therein reflect the understanding of the supervisory authority regarding art. 45 of the Solvency II Framework Directive. The purpose of the guidelines is to ensure convergent and effective insurance supervision in the member states, particularly with respect to the Level 2 implementing regulation. The guidelines must be gauged against the implementing regulation on the one hand, and directly against art. 45 of the Solvency II Framework Directive on the other. Otherwise they would not be functional as guidelines for supervisory measures in the Member States. Although the guidelines at Level 3 are not legally binding,38 due to the comply-or-explain approach and the disclosure obligation associated with it—for example, in art. 16 of the EIOPA regulation39—they have a de facto binding effect for national supervisory authorities and insurance undertakings. Not least for this reason, their density is questionable, a matter which the European Economic and Social Committee addresses head-on.40 Nevertheless, Level 3 measures, unlike the Level 2 implementing regulations, may not exceed the requirements in the basic legal act at Level 1, or extend further than the implementing regulations at Level 2.41 A condition of the multilevel supervisory regime is the delegation to the Commission for implementation at Level 1. The limit of the delegation at Level 2 is the principle of materiality in combination with the relevant delegation rule. At level 3, however, it is the terms of the law at Levels 1 and 2.


5.4.2 Present Law: The Relationship of the ORSA to Sec. 64 a, Para. 1, 2 of the VAG [German Insurance Supervision Act] and the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)]


Sec. 64 a of the VAG [German Insurance Supervision Act] was introduced to a certain extent in anticipation of the coming changes in Solvency II and thus to enable insurance undertakings to make a smooth transition to the Solvency II regime.42 In Circular 3/2009 (MaRisk VA [Minimum Requirements for Risk Management—Insurance Supervision]), BaFin [Federal Financial Supervisory Authority] provides its legally non-binding interpretation of the application of sec. 64 a of the VAG [German Insurance Supervision Act] for the addressees of the law.43 Because the ORSA process is part of the risk management system, many of its components have already been implemented in German law in advance, in particular in sec. 64 a, para. 1 sent. 4, no. 3 a of the VAG [German Insurance Supervision Act] with the obligation to generate a risk-bearing capacity concept. Some of the rules of the guidelines proposed by EIOPA on ORSA have counterparts in the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)], in particular concerning the own risk assessment.44 In the new four-level system of Solvency II, however, there is no longer a place for the current MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)]. This is so because it not only explains the practice—which may also continue under Solvency II—of BaFin [Federal Financial Supervisory Authority] in a purely descriptive way. Rather, it goes further in some respects, taking on the character of a normative system by justifying new and far-reaching legal obligations of insurance undertakings.45 Here, the BaFin [Federal Financial Supervisory Authority] usurps the role of the legislator.46 Add to this that supervisory circulars, whatever the substantive quality one may see in them, can never constitute the implementation act necessary under European law. Therefore, any remaining anticipatory implementation of Solvency II requirements by MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)] are ruled out, including with respect to the ORSA.

The ORSA under Solvency II and the internal management and control system under the current VAG [German Insurance Supervision Act] start from the same assumption that undertakings should capture their overall risk profile based on an economic assessment. In the view of EIOPA47 and the BaFin [Federal Financial Supervisory Authority]48 respectively, both the ORSA and risk management under sec. 64 a, para. 1 and 2 of the VAG [German Insurance Supervision Act] should entail a qualitative and quantitative assessment of the risks. In a departure from sec. 64 a of the VAG [German Insurance Supervision Act], art. 48, para. 1 i of the Solvency II Framework Directive includes the actuarial function in the risk management process. In the current law under sec. 64 a of the VAG [German Insurance Supervision Act], it is left to insurance undertakings as to whether they even have an actuarial function at all.49 The opposite applies under the Solvency II Framework Directive. A convergence of the VAG [German Insurance Supervision Act] with the requirements of Solvency II in this respect was actually proposed by the BaFin [Federal Financial Supervisory Authority],50 but no requirement to install an actuarial function is present in current law.

The assessment of continuous compliance with regulatory capital requirements, as required in accordance with art. 45, para. 1, subpara. 2 a of the Solvency II Framework Directive, is also found in sec. 64 a, para. 1, sent. 3 and 4, no. 3 a of the VAG [German Insurance Supervision Act].51 The same applies to art. 45, para. 2 of the Solvency II Framework Directive. Its counterpart in the current German law is sec. 64 a, para. 1, sent. 3 and 4, of the VAG [German Insurance Supervision Act]. The documentation requirement with respect to the methodology of risk recognition and risk evaluation52 is included in sec. 64 a, para. 1, sent. 4, no. 3 a of the VAG [German Insurance Supervision Act].53

Art. 45, para. 1, subpara. 2 c of the Solvency II Framework Directive obligates insurance undertakings to review their risk profile for significant deviation54 from the underlying assumptions in Solvency II for the calibration of solvency. Sec. 64 a of the VAG [German Insurance Supervision Act] is silent on this matter, and the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)] also makes no mention of such reviews. This can be explained in that the assumptions underlying Solvency II have thus far not been sufficiently transparent and the legislator was therefore unable to prescribe this sort of review. Should the rule, for which a draft already exists with sec. 24 VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act], not be replaced with a successor provision by the critical implementation date, one possibility for taking account of the questionable review requirement in sec. 64 a, para. 1 of the VAG [German Insurance Supervision Act] would be its interpretation in alignment with European law. That sec. 64 a of the VAG [German Insurance Supervision Act] is not technically an implementation act but rather an anticipation of the (expected) legislation upon enactment of the Directive is not a hindrance to such an interpretation at this time. An interpretation that aligns with the Directive is also possible absent an implementation act, or in the event one is adopted that has gaps.55 The link would be sec. 64 a, para. 1, sent. 4, no. 3 b of the VAG [German Insurance Supervision Act]. Significant deviation of the individual risk profile from the calculation assumptions in Solvency II is itself a risk of defective or insufficient models, also known as parameter or model risk.56 Recognition of this risk and managing it would be encompassed in an interpretation of sec. 64 a, para. 1, sent. 4, no. 3 b of the VAG [German Insurance Supervision Act] that aligns with the Directive, and in doing so the criteria for evaluating this risk would necessarily be the basic assumptions required by Solvency II.

Thus, in this respect, with sec. 64 a of the VAG [German Insurance Supervision Act], the German legislator has largely, but not completely, achieved his goal of early incorporation of Solvency II into German law. In particular, the actuarial function does not play the role in risk management under sec. 64 a VAG [German Insurance Supervision Act] that European law assigns to it. Moreover, the German “pre-implementation” in some partial rules, combined with the MaRisk VA [Minimum Requirements for Risk Management (Insurance Supervision)], has even overshot this goal. This is the case in particular if it specifically requires independence only for the risk-controlling function—as in sec. 27, para. 5 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]—rather than independence for all governance functions as required in art. 258 SG6 of the draft implementing regulation.


5.4.3 Future Law: Sec. 28 of the VAG [German Insurance Supervision Act] in the Version of the Ministerial Draft


The implementation of the European law ORSA requirements into the VAG [German Insurance Supervision Act], adverted to above, is intended to produce a new sec. 28 of the VAG [German Insurance Supervision Act].57 In its wording, sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] largely follows art. 45 of the Solvency II Framework Directive. But the Ministerial Draft is generally, and thus also in sec. 28, focused on preserving German legal terminology. This is seen, for example, in sec. 28, para. 2, no. 3 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act], which employs the term “Wesentlichkeit von Abweichungen” [in English: materiality of deviations] while art. 45, para. 1, subpara. 2 c of the Solvency II Framework Directive uses “Signifikanz der Abweichung” [in English: significance of deviation]. This terminological unicum in the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] goes astray in both principle and specifics. In order to ensure the most unified possible application of the law within the scope of the Solvency II Framework Directive, it would be advisable to also use the term “significance” in the new sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]. This is especially true in light of the fact that the language in the German version of the Solvency II Framework Directive in arts. 37, 45 and 119 also wrongly deviates and must itself be unified in a correct interpretation of the European law.58

Where art. 45, para. 2 of the Solvency II Framework Directive further speaks of “the risks [the insurance undertaking] faces in the short and long term and to which it is or could be exposed”, sec. 28, para. 3 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] makes do with referring to “all risks”.59 This is all the more surprising since the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] actually employs the terminology of the Solvency II Framework Directive largely unaltered elsewhere in sec. 27, para. 1, sent. 2 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act], requiring that risk management cover “risks to which the undertaking is exposed or could be exposed”. What must be made clear for the interpretation of the legal requirement of “all risks” is, first of all, that the national legislator’s use of this terminology does not invalidate the principles of materiality and proportionality,60 as discussed above, and that only the material risks pertaining to the respective insurance undertaking can be meant. Thus here again, through a divergence in wording, the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] prompts an avoidable need for interpretation in alignment with the Directive. This is so because only such interpretation will ensure the necessary consideration of materiality and proportionality. Furthermore, this example once again underscores the criticism of what is currently only partial implementation of the principle of proportionality in the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act].61

Further, sec. 28, para. 3 VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] forgoes implementing the formulation “could be exposed” as found in art. 45, para. 2, sent. 1 of the Solvency II Framework Directive in reference to the risks recognized. This does not ultimately appear to interfere with interpretation of sec. 28, para. 3 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] because hypothetical risks are also risks. Nevertheless, legal clarity is not well served by this type of defective implementation.

Conversely, sec. 28, para. 3, sent. 2 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] has no counterpart in the Solvency II Framework Directive. According to this passage, the ORSA process must “incorporate, in particular, the independent conduct of stress tests and scenario analyses”. Based simply on the nature of the Directive as fully harmonizing,62 a legal order for independent stress tests and scenario analyses is not allowable, absent a rule at Level 2 that is yet to be made. Moreover, it also breaks from the design of the ORSA in the European law, which gives free rein to insurance undertakings with respect to the modality of conducting an ORSA.63 While insurance undertakings are free to decide the methodology of implementation, they are at the same time under an obligation to explain the method’s adequacy under art. 45, para. 2, sent. 2 of the Solvency II Framework Directive. The national legislator is bound by this.

The Ministerial Draft then refrains from adopting art. 45, para. 7 of the Solvency II Framework Directive. In this passage, the European legislator makes clear, i.a., that the ORSA “shall not serve to calculate a capital requirement”.64 For this defective implementation, the statement of grounds for sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] refers only to the declaratory nature of the rules65 and views a counterpart in the new VAG [German Insurance Supervision Act] as superfluous. However, in view of the important role of ORSA in risk management, and particularly because the insurance industry thus far has no experience with Own Risk and Solvency Assessments, the determination made in art. 45, para. 7 of the Solvency II Framework Directive would be entirely reasonable in a new VAG [German Insurance Supervision Act]. Practitioners would assuredly find such a clarification a useful aid to interpretation.

Lastly, art. 45, para. 6 of the Solvency II Framework Directive, which governs the disclosure requirements in the report to supervisory authorities with respect to the ORSA, is implemented incompletely in sec. 44, no. 8 of the Ministerial Draft of the VAG [German Insurance Supervision Act] through the establishment of duties of notice.66

The ORSA is a highly complex process; and its associated costs may have a significant impact on insurance undertakings. In terms of cost, the Statement of Grounds of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] refers only to those incurred in complying with the duties to inform. The draft identifies “the new risk and solvency assessment in sec. 44, no. 8 at 635,000 euros” as the “most expensive duty to inform”.67 To the extent the draft relies on mandatory EU law, the legal basis given is incorrect68 and the amount given is incorrectly low. Sec. 44, no. 8 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] relates exclusively to the duty to inform the supervisory authority in the event of an extraordinary ORSA, and the table accompanying the Statement of Grounds69 contains six additional ORSA-related duties, solely in consideration of art. 45 of the Solvency II Framework Directive or sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act], for which a total cost of 15,375,499 euros is indicated.


5.5 ORSA, Actuarial Function, Standard Formula and Internal Model


The ORSA requires—even if not directly stated in the wording of sec. 28 VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]—to include the actuarial function into risk management since the overall solvency assessment is quantitative.70 In this context, the actuarial function is part of the risk management system pursuant to the legislative concept.71 Accordingly, it determines not only whether the Solvency Capital Requirements according to supervisory law are met, but also how high the overall solvency requirements are. Further, the actuarial function must assess the significance of deviation within the meaning of art. 45, para. 1, subpara. 2 c of the Solvency II Framework Directive,72 or the materiality of deviations within the meaning of sec. 28, para. 2, no. 3 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act].

The standard formula and internal models are directed exclusively at the capital requirements according to supervisory law. The ORSA, on the other hand, examines the capital position of the insurance undertaking from the perspective of the overall solvency needs. This perspective encompasses, for example, the future-looking risk and overall solvency analysis in the ORSA over longer periods of time73 and allows, consistently, that future sources of profit may also be considered in the ORSA along with all significant risks. Non-quantifiable risks must also be specifically included in the ORSA process.74 It must also be emphasized that capital add-ons required under supervisory law shall not be automatically tied to the ORSA process.75

The ORSA is intended to enable insurance undertakings to assess whether the standard formula of Solvency II is sufficient to assure the solvency of the insurance undertaking.76 If this sufficiency is in doubt, the undertaking must, according to the EIOPA, examine whether the development of an internal model would be more advantageous.77 If the insurance undertaking already uses an internal model, the ORSA shall evaluate the adequacy of its functioning.78 For example, the assumptions underlying the internal model and other data must be reviewed. Or an investigation is conducted to determine whether the risks depicted in the model are sufficient for an adequate projection of the true risk profile.79 Such techniques and processes entail a great deal of crossover, which produces not only considerable redundancy but also the danger of accretion in technical processes that are no longer transparent or understandable by the management and supervisory bodies in the insurance undertaking, and a concomitant dependence on this structure.

Finally, questions arise when comparing the standard formula and the ORSA. The problem is that, on one hand, the insurance supervisory regime gives insurance undertakings instructions for calculating regulatory capital with the standard formula. On the other, with the requirements for the risk management system, it requires the undertaking’s management to continuously question the standard formula in connection with any significant deviation within the meaning of art. 45, para. 1, subpara. 2 c of the Solvency II Framework Directive. This interpretation inverts the supervisory relationship, demanding that the supervised insurance undertaking continuously audit the usefulness of the standard formula provided in supervisory law. From a legal point of view, it cannot be the responsibility of those subject to supervision to conduct ongoing review of supervision rules with an eye out for necessary changes, and in so doing undergo yet another examination by the supervisory authority actually responsible for this.

This contradiction can be explained only by noting the strong emphasis on Pillar 2 in the architecture of Solvency II, which assigns a key role to risk management.80 The legal bases for intervention under supervisory law in the event of violations of regulatory capital requirements (Pillar 1) are accordingly different from those related to violations of the requirements for risk management (Pillar 2). Thus the capital add-on under art. 37 of the Solvency II Framework Directive can be tied cumulatively to both defective corporate governance (art. 37, para. 1, sent. 2 c of the Solvency II Framework Directive) as well as to any significant deviation in the risk profile from the assumptions underlying the calculation of the standard formula (art. 37, para. 1 a and b of the Solvency II Framework Directive). The implementation proposal in sec. 295, para. 1, sent. 2 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] reflects this view.


5.6 The ORSA, the Compliance Function, and the Internal Audit Function


Under art. 46, para. 1, subpara. 2 of the Solvency II Framework Directive, the internal control system for all insurance undertakings includes a “compliance function”. One of the requirements whose fulfillment is monitored by this function is the ORSA as prescribed under the supervision law. Thus, the compliance function is also involved with the ORSA.

Simply monitoring whether the regularly mandated ORSA is aligned with applicable requirements constitutes a significant challenge for a compliance function, particularly as it relates to the required expertise of the relevant compliance staff. The challenge is even more significant for two areas in which the duty to act on the part of the compliance function, based on the sweeping wording of the Solvency II Framework Directive alone—and made even more concise in the implementation proposal in sec. 29, para. 1 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]—leads to an unsound resolution.

First, there is the nexus, discussed in detail below,81 of the ORSA with the business strategy under art. 45, para. 4 of the Solvency II Framework Directive. If, as a proprietary function of the undertaking’s management, business strategy is not only non-delegable but also exempt from supervision, as will be shown, the activity of the compliance function in connection with ORSA must also be excluded from the outset. Below this threshold, where a certain sensitivity to and restraint from influence by third parties is always mandated due to the close involvement with strategic decisions by management, it must be consistently restricted to verifying the exercise and subsequent consideration by management of the ORSA process and its results.

A further question arises with respect to the competence limits of the compliance function as to how it should monitor the requirement mandated in art. 45 of the Solvency II Framework Directive for an extraordinary ORSA. Under art. 45, para. 5 of the Solvency II Framework Directive, an extraordinary ORSA is required following any significant change to the risk profile of an insurance undertaking.82 However, the result of this cannot be that the compliance function itself also monitors for changes to the risk profile. Rather, the compliance function is restricted to analyzing its findings from general compliance activities, which also includes monitoring risk management requirements, to determine whether cause for an extraordinary ORSA exists. Beyond this, the compliance function may observe risk management only to ascertain whether it properly responds to relevant changes in the risk profile by initiating an extraordinary ORSA.

Because the ORSA is part of the risk-management system, it is also within the scope of responsibility of the risk-management function, which monitors the risk-management system by virtue of art. 259 SG7, para. 1 b of the draft implementing regulation. In addition, internal audit is required to examine the “adequacy and effectiveness of . . . elements of the system of governance” in accordance with art. 47, para. 1, subpara. 2 of the Solvency II Framework Directive.83


5.7 Individual Issues Concerning the ORSA



5.7.1 The ORSA and Free Enterprise



5.7.1.1 The Problem


View of the very far-reaching requirements of the ORSA, there may be concern that the legal framework no longer permits sufficient freedom of management in business. From a legal perspective this would mean that the ORSA is not compatible with the fundamental freedom rights to conduct a business (see art. 16 of the EU Charter of Fundamental Rights (the Charter)84 and art. 12, para. 1 of the German Basic Law).85 Indeed, substantial interference with free enterprise flows from the requirement on insurance undertakings for a continuous ORSA. Also relevant is the prohibition on optimization in supervisory law. This principle means that supervisory law must not mandate business practices which would best fit the aims of economic supervision.86

Only legally binding rules can be employed to answer the question of proportionality of the ORSA requirements. The Level 3 measures do not—at least not generally87—belong here.88


5.7.1.2 The Justification of the ORSA as an Obligatory Responsibility of the Undertaking


Apart from the question of whether the guarantee of essential substance in art. 52 of the Charter stands on its own or must instead be systematically assigned to the examination of proportionality,89 the quintessence of entrepreneurial freedom90 is unaffected by the ordering of an ORSA in art. 45 of the Solvency II Framework Directive. In this case, art. 45 of Solvency II Framework Directive is appropriate for the purpose of meeting the supervisory objectives.91 But doubt as to proportionality could arise from the criterion of necessity. It must be considered, however, that there is no apparent recourse that would be milder than an ORSA and yet equally effective. In particular, an appraisal of risk and solvency situation by the supervisory authorities instead of an ORSA by the insurance undertaking would not be a viable alternative as it would lack comparable effectiveness and curtail entrepreneurial latitude. Lastly, with respect to maintaining the principles of materiality and proportionality, its adequacy must also be affirmed. With respect to the “how” of implementing the ORSA, insurance undertakings—at least according to the text of the Directive—are largely given free rein.92

In addition, in the evaluation under European law, the decision practice of the European Court of Justice on the proportionality of intervention in the freedom to conduct a business must also be noted. The European Court of Justice tends to allow the European legislators a wide scope for evaluation as to limitations of occupational and entrepreneurial freedom exempted from judicial review.93 In view of the essential goals of Solvency II and under the assumption that Level 2 and Level 3 rules cannot be the basis for an alternative assessment, the requirements of the principle of proportionality as it relates to justification of an obligatory responsibility of the undertaking for ORSA are therefore met.

These considerations, however, do not speak to the individual questions concerning the ORSA and, most importantly, its supervisory review. This is so because a legally permissible justification for Own Risk and Solvency Assessment does not necessarily mean that far-reaching official supervision and control of this process is legally permissible. If it did, the title “own” would be effectively removed on the subordinate level of enterprise supervision, and thus the associated entrepreneurial freedom with respect to “how” and “how much” would be eliminated.


5.7.1.3 ORSA as an Integral Part of Business Strategy



The Task of the Managing Board and Monitoring of the ORSA by the Supervisory Authority

Intervention in the entrepreneurial freedom is delicate insofar as ORSA results are intended to be an integral component of business strategy and important individual decisions. Limitations on the insurance undertaking’s freedom to act may result thereof. In order to evaluate the legal justification for such intervention, the reach of the intervention must first be examined, meaning the extent to which ORSA results are required to be used in the business strategy and important individual decisions, and how much latitude then remains for operating the business.

In Guideline 14 of the Consultation Paper and the explanatory text associated with it, EIOPA explained its conception of art. 45, para. 4 of the Solvency II Framework Directive to the effect that ORSA results and findings must be included at least for the Governance System, including long-term capital management, capital investment, business planning, and even product design and development. This is a broad subject area. However, the intensity of inclusion is more limited, as suggested on first view by the formulation “integral part”. Insurance undertakings are required only to “take (the ORSA) into account” in each of these areas.94 Under this design, the ORSA “feeds into” the management of the business.95 In this understanding, the awareness and serious consideration—including with respect to any consequences derived—of the ORSA results and other findings from the ORSA process are sufficient.96

The development of a business strategy and of the internal processes leading to it is a key task of the managing board, which is exercised under its own responsibility in accordance with sec. 76 of the AktG [German Stock Corporation Act].97 Thus, this task cannot be delegated98 and is not subject to supervision. A broader view of the ORSA as an integral part of the business strategy would result not only in all those practical difficulties on whose account the “business judgement rule” was incorporated into German law first through case law99 and later in statutory form through sec. 93, para. 1, sent. 2 of the AktG [German Stock Corporation Act].100 Most importantly, such broader view would also be incompatible with principle of freedom to conduct business protected through art. 12, para. 1 of the German Basic Law, and more recently, art. 16 of the EU Charter of Fundamental Rights.101 Then, too, the principle of proportionality must receive its due consideration.102 Accordingly, business strategy must be freely determined by the responsible management bodies. Whether business strategy inclines toward risk or leans away from risk in the long term remains essentially a separate matter from the ORSA as long as consideration of the ORSA takes place as outlined earlier. Of course, the results of the ORSA must result in change to the business strategy if there is no other way to ensure solvency. But that is only as a last resort. As a tool of risk management, ORSA has no unmediated impact on the business strategy in the sense of a direct control function. Rather, ORSA indirectly influences the strategy to the extent that its results are indicative of the risk status and overall solvency of the insurance undertaking, and thus indispensable to the responsible—in the sense of relevant for the exclusion of liability—development of business strategy by the proper bodies of the insurance undertaking.

Even if the principle of supervisory exemption applies to the development and amendment of business strategy, this area is not entirely supervision-free. According to the statement of grounds for sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act],103 the ORSA process fulfills “two functions”. It forms an “internal assessment process within the undertaking” on one hand. And on the other, it provides important insight about the undertaking to the supervisory authorities, who must be informed as to the results of the internal assessment of the undertaking’s risks and solvency. The supervisory authorities review the internal assessment as part of the Supervisory Review Process … First, this enables an evaluation of the risks to which the undertaking is exposed or could become exposed; second, it provides information about the ability of the undertaking to evaluate these risks; and third, it enables an evaluation of the extent to which the undertaking is in a position to withstand potential events or future changes that could adversely impact the overall financial capacity of the undertaking.

Finally, the ORSA allows the supervisory authority to conduct “a review as to whether the undertaking ought to develop an internal model or adjust an existing internal model, or whether the imposition of a capital add-on is appropriate”.

These imputations in the law of ORSA functions to the supervisory authority ignore the primary internal nature of ORSA by assuming two equally ranked functions. The terminology employed—“own” assessment—is indicative of this primary nature. The danger associated with such imputations is that supervisory authorities actually do exercise supervision of an insurance undertaking’s strategy through this approach, however indirectly. The statement of grounds for sec. 28 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act] expressly provides that “supervisory authorities shall review the internal assessment as part of the Supervisory Review Process”. At the same time, the ORSA is also an “integral” or “fixed” “part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the undertaking” under art. 45, para. 4 of the Solvency II Framework Directive and sec. 28, para. 1, sent. 2 of the VAG-E [Government’s Ministerial Draft of a Tenth Act Amending the Insurance Supervision Act]. The business strategy of an insurance undertaking thus becomes, to state it differently, the indirect subject-matter of supervisory review. In light of this, and in order to maintain the sole responsibility of the management bodies and the supervisory exemption of the management tasks of the managing board, the supervisory review of the ORSA requires particular sensitivity and restraint.

Only gold members can continue reading. Log In or Register to continue