Outsourcing with Solvency II in your back pocket

-

Getting outsourcing contracts to comply with Solvency II is not rocket science, but requires a certain amount of attention. Here are some practical guidelines.

Where within banks the Basel II implementation projects come to an end, are insurers burning the midnight oil to get Solvency II implemented before the end of 2012. The Solvency II legislation is aimed at improving risk management practices within insurance companies and providing better protection for policyholders. For this purpose, the legislation demands:

  • the insurer to hold enough capital to survive a period of economic hardship (pillar 1),
  • adequate quality of internal controls and governance (Pillar 2) and
  • greater transparency in communication with the regulator and market (Pillar 3).

These three topics have been translated into clauses that must be complied with. If the insurer has not outsourced any IT or business processes, it is sufficient for the insurer to translate the legislation into internal controls. If the insurer has however outsourced activities then two activities are added to the project:

  • Compliance with specific outsourcing requirements (in particular Article 49)
  • Translating internal controls into a framework the supplier has to adhere to.

Specific requirements for outsourcing
Before going into more deatil, is it important to note that currently only the top-level requirements have been published (known as level 1). These requirements are now being developed further into more detailed demands (level 2 to level 4). Ensure therefore to incorporate sufficient flexibility in new outsourcing contracts to cater for additional future requirements. Otherwise you might have to break open the contract and renegotiate parts of it.

At the highest detail level the specific requirements the insurer has to comply with related to outsourcing are:

  • the insurer remains fully responsible for compliance with Solvency II. In short, the insurer does not get away with pointing its finger at the vendor if it does not comply with the legislation.
  • The insurer must have written policies regarding outsourcing and adhere to them.
  • Outsourcing should not adversely impact on the quality of the governance system. In short: good control over the vendor is key.
  • Outsourcing should not adversely affect operational risk. In short: define the operational risk profile before outsourcing and ensure that sufficient mechanisms are in place to manage the operational risk profile after outsorucing.
  • Outsourcing should not adversely affect the ability of the regulator to check whether the insurer meets its obligations. This includes the requirement of the regulator to have access to the location of the supplier. In short, it is possible that a regulator wants to take a plane to India to audit a vendor.
  • Outsourcing may not adversely affect the continuity and adequacy of services.
  • The insurer will inform the supervisor prior to the outsourcing of critical or important functions or activities. In addition, the supervisor has to be informed in case of substantial changes to the contract.

It seems on first sight a relatively simple list, but demonstrating compliance to the regulator requires still some thought. In addition, not all (foreign) suppliers are eager to get a foreign regulator on its premises.

Translating internal controls

When a (part of) a business process or IT systems is outsourced, it must continue to meet the requirements set by Solvency II. The easiest way is to impose the existing internal control framework on the vendor. This is also the most expensive solution, because the vendor would not be able to use its own processes and best practices regarding risk management. Using  standard SAS70 / ISAE 3402 as a compliance-cure will not do, because its scope does not match the specific demands posed by Solvency II.

Without going into too much detail, the following recommendations will guide you in the right direction:

  • Define for the outsourced activities a "Solvency II risk profile”. Some activities and IT systems will hardly be affected by Solvency II, while other parts will be heavily impacted by Solvency II.
  • Differentiate the design of the risk control framework based on the risk profile. Think of a 'bronze' approach for activities with a low risk and a silver and gold framework for critical processes.
  • Translate the bronze, silver and gold profiles in specific control measurements and requirements the vendor has to comply with. Put relatively mild measures for bronze (e.g. reporting, due diligence on policies, relying on monitoring framework of vendor) and put heavier measures when outsourcing more risky activities (e.g. prescribing controls, third party audits, strict monitoring of vendor compliance ).

This approach allows for an optimal allocation of scarce time and resources to existing and planned outsourcing contracts in order to make them comply with Solvency II. It's not rocket science, but especially translating an internal control framework into an adequate framework for the vendor requires some thought and attention.

Comments

  1. Outsourcing PhilippinesSeptember 3, 2010 at 4:44 AM

    Great post! I came here through google search. hope to read more updates.

    ReplyDelete

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

Beyond Two-Speed IT – Part 1

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. This blog is the first in a series covering the third principle of the Digital Manifesto.   When in New York, searching for a restaurant on your mobile yields those nearest to your current location. If your search history indicates you like Chinese food, the results will highlight those. To create this kind of personalized experience, Google Now, Cortana and Siri combine several data sources, such as location and past usage patterns, to deliver a personalized experience. The capability to show the restaurants in New York instead of Moscow reduces the ‘search stress’ faced by customers and the saved time is a source of customer benefits. The business has a similar expectation. When requesting a new IT solution, the context, such as stable versus emerging market, or having little or intense competition, is at least as rel
Read more