A failure to comply with the qualitative and quantitative requirements may have severe consequences for the financial soundness of an insurer or reinsurer. The supervisory review therefore aims to identify institutions with financial, organisational or other features susceptible to producing a higher risk profile.

Under the Supervisory Review Process (SRP), the supervisory authorities review and evaluate the strategies, processes and reporting procedures established by insurers and reinsurers to comply with this Directive as well as the risks the undertaking faces or may face and its ability to assess those risks.

The review also comprises an assessment of the adequacy of the undertakings' methods and practices to identify possible events or future changes in economic conditions that could have unfavourable effects on its overall financial standing.

In order to ensure the efficiency of the SRP, it is important that supervisory authorities are given the power to remedy the weaknesses and deficiencies identified in the supervisory review including a follow-up process of their findings.

It is moreover essential that supervisory authorities have appropriate monitoring tools that enable deteriorating financial conditions to be identified and remedied.

The results of the SRP are very useful for the supervisory authorities in prioritising future work, to ensure an appropriate degree of consistency in supervisory approaches between supervisory authorities and to provide feedback to the undertaking.

Consistency of governance requirements across the banking, securities and (re)insurance sectors is essential to ensure cross-sectoral consistency. The governance requirements set out in this Directive aim at achieving this objective.

Robust governance requirements are a pre-requisite for an efficient solvency system. Some risks may only be addressed through governance requirements rather than by setting quantitative requirements.

A robust governance system is hence of key importance for the adequate management of the insurer and critical to the effectiveness of the supervisory system.

The governance system includes compliance with the requirements on fit and proper, risk management, the own risk and solvency assessment, internal control, internal audit, the actuarial function and outsourcing. The implementing measures on the governance requirements will specify the proportionality principle.

The identification of governance functions in the Directive should help undertakings in deciding how to implement the governance system. A function is an administrative capacity to undertake particular tasks.

The identification of a particular function does not prevent the undertaking from freely deciding how to organise this function in practice unless this is otherwise specified in this Directive.

This should not lead to unduly burdensome requirements because account should be taken of the nature, scale and complexity of the operations of the undertaking.

The governance functions can therefore be staffed by own staff or can rely on advice from outside experts or can be outsourced to experts within the limits set by this Directive. Furthermore, in smaller and less complex undertakings, more than one function can be carried out by one person or organisational unit.

In order to make the governance system work well, undertakings are required to have written policies in place which clearly set out how they deal with internal control, internal audit, risk management and, where relevant, with outsourcing. It is essential that the administrative or management body is actively involved in the governance system.

The written policies should therefore be approved by the administrative or management body and be revised at least annually or before any significant change is implemented in the system. The amendment of the policies prior to the system change is essential because the undertaking would otherwise already be in non-compliance with its internal strategies and processes.

It is the role of the supervisory authority in the SRP to review and evaluate the governance system.

As part of their risk management system, all (re)insurance undertakings should have, as an integral part of their business strategy, a regular practice of assessing their overall solvency needs with a view to their specific risk profile.

The ORSA has a twofold nature.

1. It is an internal assessment process within the undertaking and is as such embedded in the strategic decisions of the undertaking.

2. It is also a supervisory tool for the supervisory authorities, which must be informed about the results of the own risk and solvency assessment of the undertaking.

The ORSA does not require an undertaking to develop or apply a full or partial internal model. However, if the undertaking already uses an approved full or partial internal model for the calculation of the SCR, the output of the model should be used in the ORSA.

The ORSA does not create a third solvency capital requirement. The ORSA should not be overly burdensome on small or less complex undertakings. The supervisory authority reviews the own risk and solvency assessment as part of the supervisory review process of the undertaking. The results of each ORSA conducted shall be reported to the supervisory authority as part of the information to be provided for supervisory purposes.

General governance requirements

1. Member States shall require all insurance and reinsurance undertakings to have in place an effective system of governance which provides for sound and prudent management of the business.

That system shall at least include an adequate transparent organisational structure with a clear allocation and appropriate segregation of responsibilities and an effective system for ensuring the transmission of information. It shall include compliance with the requirements laid down in Articles 42 to 48.

The system of governance shall be subject to regular internal review.

2. The system of governance shall be proportionate to the nature, scale and complexity of the operations of the insurance or reinsurance undertaking.

3. Insurance and reinsurance undertakings shall have written policies in relation to at least risk management, internal control, internal audit and, where relevant, outsourcing. They shall ensure that those policies are implemented.

Those written policies shall be reviewed at least annually. They shall be subject to prior approval by the administrative or management body and be adapted in view of any significant change in the system or area concerned.

4. The supervisory authorities shall have appropriate means, methods and powers for verifying the system of governance of the insurance and reinsurance undertakings and for evaluating emerging risks identified by those undertakings which may affect their financial soundness.

The Member States shall ensure that the supervisory authorities have the powers necessary to request that the system of governance be improved and strengthened to ensure compliance with the requirements set out in Articles 42 to 48.

Fit and proper requirements for persons who effectively run the undertaking or have other key functions

1. Insurance and reinsurance undertakings shall ensure that all persons who effectively run the undertaking or have other key functions meet at all times the following requirements:

(a) their professional qualifications, knowledge and experience are adequate to enable sound and prudent management (fit);

(b) they are of the highest repute and integrity (proper).

2. Insurance and reinsurance undertakings shall notify the supervisory authority of any changes to the identity of the persons who effectively run the undertaking or have other key functions, along with all information needed to assess whether any new persons appointed to manage the undertaking are fit and proper.

3. Insurance and reinsurance undertakings shall notify their supervisory authority if any of the persons mentioned in paragraphs 1 and 2 have been replaced because they no longer fulfil the requirements referred to in point (b) of paragraph 1.

Article 43

Risk Management

1. Insurance and reinsurance undertakings shall have in place an effective risk management system comprising strategies, processes and reporting procedures necessary to monitor, manage and report, on a continuous basis the risks, on an individual and aggregated level, to which they are or could be exposed, and their interdependencies.

That risk management system shall be well integrated into the organisational structure of the insurance or reinsurance undertaking. It shall contain contingency plans.

2. The risk management system shall cover the risks to be included in the calculation of the Solvency Capital Requirement as set out in Article 101(4) as well as the risks which are not or not fully included in the calculation thereof.

It shall cover at least the following areas:

(a) underwriting and reserving;

(b) asset – liability management;

(c) investment, in particular derivatives and similar commitments;

(d) liquidity and concentration risk management;

(e) reinsurance and other risk mitigation techniques.

The written policy on risk management referred to in Article 41(3) shall comprise policies relating to points (a) to (e) of the second subparagraph of this paragraph.

3. As regards investment risk insurance and reinsurance undertakings shall demonstrate that they comply with Chapter VI, Section 6.

4. Insurance and reinsurance undertakings shall provide for a risk management function which shall be structured in such a way as to facilitate the implementation of the risk management system.

5. For insurance and reinsurance undertakings using a partial or full internal model approved in accordance with Articles 110 and 111 the risk management function shall cover the following additional tasks:

(a) to design and implement the internal model;

(b) to test and validate the internal model;

(c) to document the internal model and any subsequent changes made to it;

(d) to inform the administrative or management body about the performance of the internal model, suggesting areas needing improvement, and up-dating that body on the status of efforts to improve previously identified weaknesses;

(e) to analyse the performance of the internal model and to produce summary reports thereof.

Article 44

Own risk and solvency assessment

1. As part of its risk management system every insurance or reinsurance undertaking shall conduct its own risk and solvency assessment.

That assessment shall include at least the following:

(a) the overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the undertaking;

(b) the compliance, on a continuous basis, with the capital requirements, as laid down in Chapters VI, Sections 4 and 5 and with the requirements regarding technical provisions, as laid down in Chapter VI, Section 2.

(c) the extent to which the risk profile of the undertaking concerned deviates significantly from the assumptions underlying the Solvency Capital Requirement as laid down in Article 101 (3), calculated with the standard formula in accordance with Chapter VI, Section 4, Subsection 2 or with its partial or full internal model in accordance with Chapter VI, Section 4, Subsection 3.

2. For the purposes of point (a) of paragraph 1, the undertaking concerned shall have in place processes which enable it to properly identify and measure the risks it faces in the short and the long term and also to identify possible events or future changes in economic conditions that could have unfavourable effects on its overall financial standing.

The undertaking shall demonstrate the methods used to determine its overall solvency needs.

3. In the case referred to in point (c) of paragraph 1 when an internal model is used, the assessment shall be performed together with the recalibration that transforms the internal risk numbers into the Solvency Capital Requirement risk measure and calibration.

4. The own risk and solvency assessment shall be an integral part of the business strategy and shall be taken into account on an ongoing basis in the strategic decisions of the undertaking.

5. Insurance and reinsurance undertakings shall perform the assessment referred to in paragraph 1 regularly and without any delay following any significant change in their risk profile.

6. The insurance and reinsurance undertakings shall inform the supervisory authorities of the results of each own risk and solvency assessment as part of the information reported under Article 35.

Article 45

Internal Control

1. Insurance and reinsurance undertakings shall have in place an effective internal control system.

That system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a permanent compliance function.

2. The compliance function shall include advising the administrative or management body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.

Article 46

Internal Audit

1. Insurance and reinsurance undertakings shall provide for an effective and permanent internal audit function.

2. The internal audit function shall include the examination of the compliance of the activities of an insurance and reinsurance undertaking with all its internal strategies, processes and reporting procedures.

The internal audit function shall also include an evaluation of whether the internal control system of the undertaking remains sufficient and appropriate for its business.

3. The internal audit function shall be objective and independent from the operational functions.

4. Any findings and recommendations of the internal audit shall be reported to the administrative or management body which shall ensure compliance with the internal audit findings and recommendations.

Article 47

Actuarial Function

1. Insurance and reinsurance undertakings shall provide for an effective actuarial function to undertake the following :

(a) to coordinate the calculation of technical provisions;

(b) to ensure the appropriateness of the methodologies and underlying models used as well as the assumptions made in the calculation of technical provisions;

(c) to assess the sufficiency and quality of the data used in the calculation of technical provisions;

(d) to compare best estimates against experience;

(e) to inform the administrative or management body of the reliability and adequacy of the calculation of technical provisions;

(f) to oversee the calculation of technical provisions in the cases set out in Article 81;

(g) to express an opinion on the overall underwriting policy;

(h) to express an opinion on the adequacy of reinsurance arrangements;

(i) to contribute to the effective implementation of the risk management system referred to in Article 43, in particular with respect to the risk modelling underlying the calculation of the capital requirements set out in Chapter VI, Sections 4 and 5 and the assessment referred to in Article 44.

2. The actuarial function shall be carried out by persons with sufficient knowledge of actuarial and financial mathematics and able where appropriate, to demonstrate their relevant experience and expertise with applicable professional and other standards

Article 48

Outsourcing

1. Member States shall ensure that, when insurance and reinsurance undertakings outsource critical or important operational functions or any insurance or reinsurance activities, the undertakings remain fully responsible for discharging all of their obligations under this Directive.

2. Outsourcing of important operational activities shall not be undertaken in such a way as to lead to any of the following:

(a) impairing materially the quality of the governance system of the undertaking concerned;

(b) increasing unduly the operational risk;

(c) impairing the ability of the supervisory authorities to monitor the compliance of the undertaking with its obligations;

(d) undermining continuous and satisfactory service to policyholders.

3. Insurance and reinsurance undertakings shall, in a timely manner, notify the supervisory authorities prior to the outsourcing of important activities as well as of any subsequent material developments with respect to those activities.

Article 49

Implementing measures

The Commission shall adopt implementing measures to further specify the following:

(1) the elements of the systems referred to in Articles 41, 43, 45 and 46, and in particular the areas to be covered by the asset – liability management and investment policy, as referred to in Article 43(2), of insurance and reinsurance undertakings;

(2) the functions referred to in Articles 43, 45, 46 and 47;

(3) the requirements set out in Article 42 and the functions subject thereto;

(4) the conditions under which outsourcing may be performed.

Those measures designed to amend non-essential elements of this Directive by supplementing it, shall be adopted in accordance with the regulatory procedure with scrutiny referred to in Article 304(3).