3. Relationship of the Circular to other regulations
|
|
1 The special regulations concerning the organisational and operational structure that apply based on other circulars, in particular in the areas of investments and reinsurance, remain unaffected by this Circular. This applies – also in the case of revision and replacement by successive circulars - to
- Circular R 3/2000 (VA) part A III of 19.10.2000 concerning derivative financial instruments,
- Circular R 3/99 parts A II 2 and 3 of 09.10.1999 concerning structured products, Circular R 1/2002 part B of 12.04.2002 concerning asset-backed securities and credit-linked notes,
- Circular R 7/2004 (VA) part B of 20.08.2004
- Circular R 15/2005 (VA) part IX of 20.08.2005 concerning the investment of restricted assets,
- BaFin announcement of 14.09.2005 on the use of financial instruments (VerBaFin 11/2005),
- Guidelines on the solvency of insurance undertakings R 4/2005 (VA) of 01.03.2005,
- Guidelines on the supervision of reinsurance undertakings R 6/2005 (VA) of 02.06.2005,
- Circular R 9/2007 (VA) part A concerning guidelines on risk management in the intermediaries sector,
- Circular R 1/1997 concerning guidelines for ceding undertakings on how to check the capacity and willingness of reinsurance undertakings to settle losses.
|
|
2 The circulars issued for the purpose of prevention of money laundering also remain unaffected to the extent that they apply to insurance undertakings. |
|
4. Principle of proportionality
|
|
1 Compliance with the requirements set out in sections 64a and 104s VAG and the Minimum Requirements specified in this Circular shall take into account the principle of proportionality. The principle of proportionality states that the requirements must always be met taking the undertaking-specific risks, the nature and scale of the business operations as well as the complexity of the undertaking’s business model into account. The Supervisory Authority therefore assumes that the requirements set out in this Circular can be met by all undertakings. |
The principle of materiality is to be taken into account in applying the principle of proportionality. In this case, the principle of materiality means that only material risks are to be considered. For a definition of materiality see 5.1
The requirements stated in this Circular are to be met by all undertakings, also by those that fall below the de minimis thresholds under EU directives. The means of fulfilling these requirements may be different for each undertaking due to reasons of proportionality. The undertaking must justify any deviations, for example deviations from the group standard (burden of proof).
|
2 Risk management assessments must take into account the particular features of institutions for occupational retirement provision. |
Institutions for occupational retirement provision operate, as a rule, on a limited scale and their business model is less complex. |
5. Risks
|
|
1 The requirements of the Circular refer to risk management of the material risks described in the following paragraph. Risk is understood as the possibility of non-achievement of an explicitly formulated or implicitly resultant goal. All risks identified by management, which can have a sustainably negative impact on the undertaking’s financial position, performance or cash flows are considered material. In order to assess whether or not a risk should be deemed material, management must obtain an overview of the undertaking’s overall risk profile. The definition of material risks is the result of the undertaking-specific risk identification processes (7.3.2.1), the risk analysis and risk evaluation (7.3.2.2) and the scaling of materiality the undertaking applies. The undertakings must implement effective control and monitoring measures to ensure that there will be no material errors which could cause the undertaking to accept unreasonably high risks. Appropriate arrangements are to be implemented for risks that are not considered material. |
The term ‘risk’ is defined in relation to its effects. It should be interpreted in connection with the objectives to be achieved. Both positive and negative slippage is possible. Negative slippage usually manifests itself as loss. Nonetheless, the function of an effective risk management system is to deal with both entrepreneurial opportunities and risks. This Circular focuses on negative slippage.
In a first step, risk evaluation should always be qualitative. The undertaking is to consider both the on- and off-balance sheet effects of risks. The latter frequently results from risks that are difficult to allocate but must nevertheless be captured and processed, e.g. risks of special purpose entities for which the undertaking is liable, or which may have a negative impact on the undertaking’s financial position, performance or cash flows. A quantitative assessment should be performed only after the undertaking has classified the risk as material in its reference framework.
|
2 From a regulatory point of view, the minimum risk categories to be taken into account by the undertaking are: |
Risk categorisation represents a reduction in complexity. The Supervisory Authority expects undertakings to address at least the risks listed in this Circular in their risk reports to be submitted under section 55c VAG. Undertakings may employ risk categories different from those suggested in the Circular, provided all the risks described in the notation section are taken into account. |
underwriting risk |
Underwriting risk refers to the risk that the costs of claims and benefits actually paid may deviate from the expected costs accidentally or owing to error or change of circumstances. |
market risk |
Market risk refers to the risk resulting directly or indirectly from fluctuations in the level and/or volatility of market prices for assets, liabilities and financial instruments. It comprises currency risk and interest rate risk. |
credit risk (including country risk) |
Credit risk is the risk arising from default of or fluctuations in the creditworthiness (credit spread) of security issuers, counterparties and other debtors against whom insurance and reinsurance undertakings have claims. |
operational risk |
Operational risk is the risk of losses due to inadequate or failed internal processes or as a result of employee or system error or from external events. Operational risk also comprises legal risks, however not strategic risks and reputational risks. |
liquidity risk |
Liquidity risk is the risk that an undertaking is not in the position to meet financial obligations as they fall due for lack of fungibility. |
concentration risk |
Concentration risk refers to the risk arising from the undertaking assuming single or highly correlated risks with significant loss exposure and/or potential defaults. |
strategic risk |
Strategic risk is the risk resulting from strategic business decisions. Strategic risk also includes the risk that results from business decisions that are not adapted to a changed economic environment. Strategic risk, as a rule, is a risk that emerges in conjunction with other risks. But it can also emerge as an individual risk. |
reputational risk |
Reputational risk is the risk that arises from possible damage to an undertaking’s reputation as a consequence of negative public perception (e.g. among clients, business partners, shareholders or the authorities). Like strategic risk, reputational risk, as a rule, is a risk that emerges in conjunction with other risks. But it can also emerge as an individual risk. |
6. Overall responsibility of management
|
|
1 All managers – irrespective of internal rules regarding areas of responsibility – are responsible for ensuring that the undertaking has sound administrative procedures (section 64a (1) sentence 2 and section 104s sentence 3 VAG). |
Overall responsibility of management means that all managers are informed of the risks their undertaking is exposed to, can judge the main impacts on the undertaking and must take the measures necessary to limit them; that is, all managers are responsible for implementing and further developing a functioning risk management system. Responsibility for risk management decisions (decisions on acceptance and handling of material risks) lies with management and may not be delegated. The option of transferring responsibility for current execution of individual administrative procedures to one or more members of management remains unaffected by this regulation unless otherwise provided for by other statutory regulations. |
7. Elements of adequate risk management
|
|
1 Undertakings must set up a risk management system that contains the elements listed in section 64a (1) sentence 4 VAG. The essential elements of risk management are not independently juxtaposed but dovetailed to form a consistent and interlocking whole (holistic approach), making it possible to deal effectively with undertaking-specific risks. |
The holistic approach requires that the risk strategy appropriate for the overall risk profile be implemented from the top down in operational day-to-day business to the degree necessary and that risks of operational day-to-day business in turn be reported from the bottom up, so that an overall risk profile can be developed. |
7.1 Risk strategy
|
|
1 Determining the business strategy and the resultant adequate risk strategy lies in the non-delegable overall responsibility of management and is to be documented by them. |
By business strategy, the Supervisory Authority understands the undertaking’s business orientation, its goals and planning over an appropriate time horizon, whereas by risk strategy it understands the description of dealing with the risks resulting from the business strategy. The business strategy is not the object of audits by the Supervisory Authority or the internal auditing department. The risk strategy, in contrast, is subject to auditing by the Supervisory Authority. The Supervisory Authority assesses the risk strategy against the backdrop of the business strategy as a consistency check. In particular, the risk strategy presents the effects of the business strategy on the undertaking’s risk situation and describes how existing risks are dealt with and the undertaking’s ability to bear newly emerging risks. The manner in which the board of management documents its risk strategy is at the undertaking’s discretion. In addition to a summarised version in one document (e.g. for a group), the strategy can also be presented in several documents, provided that there is a consistent interrelationship between the various documents. |
2 The risk strategy is to describe the risks resulting from the business strategy and should be designed in such a way that it dovetails smoothly with the functional risk treatment. The risk strategy must address:
- the type of risk (which risks should be taken on in the first place?),
- the risk tolerance (what amount of risk is chosen?),
- the origin of risk (from where does the risk originate?),
- the time horizon of the risks (which risks in which time period are to be dealt with under the existing risk coverage?) and
- the risk-bearing capacity.
|
Sustainable business expectations are to be included in the business strategy (e.g. type of the business, targeted volume, profit forecast, and costs). The resultant risks are presented in the risk strategy concerning their impact on the financial position, performance and cash flows of the undertaking as well as the resultant guidelines for dealing with risk. It is critical that the expectations/risks are defined at operational level so that employee guidelines for risk management are established in the day-to-day business.
Origin need not necessarily be understood geographically; it could also refer to a class of insurance.
|
3 If new business areas are taken on or new capital market, insurance or reinsurance products are introduced, an evaluation of their impact on the overall risk profile must be made. The same applies to significant changes in market parameters and risk assessments. Changes in the risk strategy may be necessary if the overall risk profile changes substantially. The management of the undertaking must review this on an ongoing basis. Involving the responsible actuary in accordance with his supervisory function may be considered. |
Changes in the overall risk profile should not be restricted to investment parameters only but should include the impact of changes in risk assessment in general and, in particular, in relation to new types of risk (such as, for instance, terrorism, pandemics and asbestos exposure risks). |
4 Management is to review the business strategy as well as the risk strategy at least once each financial year, making adjustments if necessary. The strategies are to be reported to the undertaking’s supervisory body for discussion ‑ if there is such a body. |
As a general rule, the risk strategy is to be reported to each member of the supervisory body. If the supervisory body has formed a responsible committee for this purpose, the risk strategy can also be reported to this committee for discussion. This is subject to the prerequisite that a corresponding resolution has been passed on the establishment of the committee, and that the chairperson of the committee makes a report to the entire supervisory body on a regular basis. Furthermore, each member of the supervisory body must be given the right to view the risk strategy at any time.
Especially for purposes of preventing strategic risks, the Supervisory Authority recommends that management conduct a critical quality analysis (“strategy audit”) at least once a year of its actions and decisions or present in writing the grounds for deeming such an audit unnecessary. The strategy audit could, for example, be performed in cooperation with internal audit or the supervisory body.
|
7.2 Organisational framework
|
|
1 To implement sections 64a and 104s VAG, the undertaking must ensure that business operations that involve material risks are carried out on the basis of internal company guidelines. These guidelines are to take into account the strategic limits of the business activities as well as the limits defined by law and the undertaking’s memorandum and articles of association, and they must determine the organisational framework conditions under which the company operates, which applies in particular to the
- organisational structure
- operational structure, including
a) integration of new business areas and new capital market, insurance or reinsurance products,
b) internal resources and incentive systems,
c) organisational development;
- the implementation of an appropriate internal risk treatment and control system, including
a) a risk-bearing capacity concept,
b) risk identification, analysis, evaluation, treatment and monitoring,
c) an internal communications structure,
d) meaningful reporting;
- responsibilities and functions of the internal audit function,
- internal controls,
- decisions on outsourcing within the meaning of section 5 (3) no. 4 VAG,
- contingency planning,
- appropriate information and documentation.
|
|
2 Materially significant individual decisions and instructions by the management levels below corporate management that violate internal policy guidelines are to be justified in writing, documented and presented to management for their information. |
This does not refer to the individual decisions taken in operational day-to-day business but decisions on matters that are of material significance to the undertaking and which are taken by the management levels determined by the organisational structure. |
7.2.1 Organisational structure
|
|
1 The organisational structure of the undertaking is to be geared to supporting the undertaking’s most important strategic goals. In principle, there must be a clear separation of incompatible functions, up to and including the management level. The persons responsible for building up risk positions may not at the same time, even indirectly, be simultaneously entrusted with their monitoring and control. |
A function is the administrative capacity to assume specific tasks. Unless otherwise provided for, defining a specific function does not prevent the undertaking from freely deciding how this function is to be organised in practice. |
2 If completely separating incompatible functions would place an unreasonable burden on an undertaking due to its size, avoidance of conflicts of interest must be adequately ensured by other means. In the process, consistency with the chosen risk strategy must be ensured. |
As a general rule, the principle of separation of functions, for example between functional risk treatment and the risk control function, must be observed up to and including management level. To function properly, separation of functions must take into account the hierarchical structures. In companies where a separation of functions and personnel is not possible due to the low number of employees, joint performance of two intrinsically incompatible functions may be permitted on an exceptional basis if accompanying measures (transparency through clear documentation, reporting lines separate from functional authority structures, “four eyes” principle) ensure that no conflicts of interests arise. |
3 Duties and responsibilities within the organisational structure must be clearly defined and coordinated with each other. When determining responsibilities, the following requirements for successive staff members performing the same function(s) must be complied with: |
The definitions used for the functions are not mandatory. An undertaking may have its own individual system. In particular, deviations in the terms describing the required functions in risk management are permitted; the decisive factor is the content of the function. The required functions are not to be equated with the competent business units. |
a) Management is responsible for
- defining uniform guidelines for risk management, taking internal and external requirements into account,
- determining business and risk strategy,
- determining risk tolerance and observing the risk-bearing capacity,
- continuous monitoring of the risk profile and establishing an early warning system as well as providing solutions for material risk-relevant ad hoc problems.
|
Risk tolerance is dependent on the individual risk-acceptance level of management, which is reflected in the undertaking’s risk strategy. The risk-bearing capacity can, in contrast, be objectively determined and constitutes the upper limit.
|
b) The independent risk control function coordinates and is responsible for
- identification, analysis and evaluation of risks, at least at the aggregate level,
- development of methods and processes for risk evaluation and monitoring,
- risk reporting on identified and analysed risks and determining risk concentrations,
- recommendation of limits,
- monitoring limits and risks at aggregate level, monitoring measures to limit risk,
- assessing planned strategies under risk aspects,
- evaluating new products as well as the current product portfolio in terms of risk,
- validating any risk evaluations performed by the business units.
Individuals or business units performing this function must be able to carry out their tasks objectively and independently. The risk control function need not necessarily be at management level. To enable it to perform its duties, the risk control function must be granted a full, unlimited right to information.
Immediate reporting to the independent risk control function is necessary if material deficiencies have been identified or there has been serious financial damage or there is a reasonable suspicion that irregularities have occurred.
The supervisory body – if one exists – may contact the independent risk control function directly for additional information. This option is limited by the statutory or contractually agreed information rights and obligations the supervisory body is subject to.
|
|
c) The operating business units are responsible for implementing the identification, analysis and, in particular, the treatment of all material risks in their area. The business units are free to subdivide the limits specified for them by management. The tasks, responsibilities, representation rules and competencies of the business unit when dealing with risks are to be defined and documented. |
|
d) The internal audit function independently reviews all business units, processes, procedures and systems following their own procedure and objectively focusing on risk. In this way, it is able to detect risks, hazards and deficiencies at an early stage and report them to management. |
The concrete responsibilities of internal audit are set out in
7.4 Internal auditing, on page 36. |
7.2.2 Operational structure
|
|
1 The operational structure is to support the main functions of the organisational structure in line with the risk strategy. The operational structure enables all responsibilities and all business processes that involve material risks to be determined. The operational structure is to be clearly defined. Appropriate responsibilities are to be defined for all business processes that involve material risks including the transfer of data and results.
The operational structure requires adequate personnel resources. Staffing must be based, among other things, on internal requirements, business activities and the risk situation. Employees must be so trained that they can identify risks and address them appropriately.
|
All business processes which carry material risk, and their interfaces, are to be treated in such a way that they support the business goals and keep deviations from these to a minimum. |
2 All business processes dealing with operations that involve material risks are to be adequately managed and monitored. Such business processes include, at a minimum, the underwriting business, provisioning, investment management (including asset liability management) and ceded reinsurance management. |
|