The ‘why’ and ‘how’ of governance regulation

Jan Parner, deputy director general, Danish Financial Supervisory Authority on how governance regulation can be made more understandable by showing the efforts and motivations behind it.
The European insurance industry and its governance system are highly regulated. Operating under common European regulation (Solvency II), the regulatory framework is based on a three-pillar structure.
The first pillar contains a capital requirement corresponding to the chosen business model and disciplines both strategy and day-to-day behaviour. The second regulates the core governance system, in a rather explicit manner, by requiring a command and control structure, running an Own Risk and Solvency Assessment process (ORSA) and complying with certain fitness and propriety standards. The third pillar prescribes mandatory public disclosure and regular reporting to the supervisory authority.
Even though the word “governance” is only found in the regulation of pillar II, both the first and third pillars drive organisational behaviour. While we are aware of the self-regulating nature of public disclosures, some decisions may not survive public scrutiny, which is why pillar III is sometimes described as the “name and shame” part of Solvency II.

Governance across three pillars

The Regulation and the aspiration for good governance must of course be assessed against their application in practice. Closer examination of pillar II reveals a prescriptive framework around the structural parts of the governance system responsible for specific areas such as the actuarial function, compliance, risk management and internal audit.
The regulation itself does not specify what an effective governance system should look like nor does it specifically mention organisational culture. Instead, it includes measurable outcomes of the governance system, such as a particular process (e.g. ORSA), reporting, and which key function holders should be consulted before making central decisions. Further guidance from the European supervisory authority EIOPA points towards examples of good and bad governance in practice.

Governance in practice

The Regulation and the aspiration for good governance must of course be assessed against their application in practice. This raises the question: how do we assess if a company has implemented good governance and the right risk culture?
Leaving press coverage or whistle-blowers aside, there are two main sources of information to help determine this: the quarterly and annual information submitted to the supervisor and information from onsite inspections.

The role of reporting and on-site inspection

Regulatory submissions can be used to track structural changes in the governance system and detect risk patterns by observing senior management decisions and reading minutes from board meetings.
However, a proper assessment of the effectiveness of the described governance system or the quality of the company culture is often difficult to detect from reading reported material and requires an on-site inspection.
Inspections often depend on the inspector’s “nose” or gut feelings – a skill that usually takes years to develop. And even if the company is assessed as having “poor governance” or “risky culture”, experience shows that it can still be quite challenging to find sufficient evidence to apply the legal hooks in the regulatory framework for more supervisory actions. Governance and company culture are in essence not very tangible.

Sticking to the governance plan

Even if the company is assessed as having “poor governance” or “risky culture”, experience shows that it can still be quite challenging to find sufficient evidence to apply the legal hooks in the regulatory framework for more supervisory actions. There are, however, two indicators of poor governance that can be used without much experience. The first is checking if the company has done what it set out to do in the governance plan and documentation.
When the company designs how its governance system processes for approval and controls are set up, the question is simply: “how often does the organisation deviate from these approval and control processes?” The more frequently agreed processes are being disregarded the more likely it is that the company has non-effective governance in the corresponding area.

Reasons for compliance

The second indicator is the reaction following a governance regulation. If the company’s approach is that this is yet another load of compliance and paper work, red lights should start flashing.
The reason for concern is that these firms are ignoring the solid basis on which governance regulation of the insurance industry is set. The regulation has two major sources, one is the practice of large insurance companies that has already been tried and tested and provides tangible business benefit. The other is the “lessons learned” from supervisors when things went wrong.
If you were a company manager why would you not appreciate setting up a structure that mitigated unwanted business risks? Leaving the perception of reduced autonomy aside for a moment, my experience is that in cases of governance failure, senior management did not understand the rationale behind the regulation nor the story behind it. Therefore it is perhaps not surprising that they would not embrace a piece of regulation on that basis.

The story behind the regulation

When talking about the rationale and story behind regulating governance, I am not thinking of the statement: “both you and your customers will benefit from appropriate governance systems”. How would the company know what “benefit” or “appropriate” is and what the link between these two words are? I am pointing to the underlying story that conveys the experience behind the regulation to the company.
We have had a tsunami of regulation during the financial crisis, including the finalisation of Solvency II. My observation is that during this period we lost the stories behind the regulation. Without stories of “why there is a need for a specific piece of regulation” and “how to implement it effectively”, we risk encouraging a compliance-only approach and missing out on focusing on what is proportionate.

The importance of “why” and “how” for governance regulation

Without the stories of “why”, governance can never reach further than compliance, and without stories of “how” the concept of proportionality stays a perceived mysteriously unreachable goal.
We spent more than a decade developing the Solvency II regulation, which constitutes a major step up in regulation and insurance business risk management. Now is the time to make it effective, now is the time to write the 1001 stories that make companies take advantage of it.

‘The Governance Trap: Tracking Behaviour and Change’ is the second event in a series of collaborations between Solvency II Wire and the Centre for Analysis of Risk and Regulation (CARR) at the London School of Economics.

The event was held in London on 3 November 2016, hosted by   Dentons.
If you’d like to learn more about or read articles from the first event in this series, The Governance Trap and the Future of Regulation, please click here.
To receive the next article in the series directly to your inbox and subscribe to the Solvency II Wire mailing list for free, click here.