‘Box-ticking’ can be a phrase synonymous with poor practice in Enterprise Risk Management (ERM). When poorly executed it can mean going through the motions to display minimum levels of compliance, rather than engaging in any meaningful activity that would deliver any real benefit. Such an approach is not encouraged by regulators.
However, do companies, and indeed individuals, spend enough time making sure they have ticked all the boxes from a compliance perspective? This is an activity that regulators certainly encourage.
With the general direction of regulatory oversight and the formality of Solvency II, companies and boards are now confirming compliance in many areas. There is a risk that the compliance process itself becomes a risk. Compliance risk is one of those intangible issues that can’t be quantified using actuarial models or managed through setting aside capital. It is a risk that is dealt with on a qualitative basis and is managed and controlled rather than measured and capitalised. This means that managing compliance risk might not be front of mind for many companies, especially with such a focus on capital amounts and getting the numbers “right”.
This becomes even more apparent at this time of year, when statutory sign-offs and certifications come into play. If you are being asked to put pen to paper to certify compliance or sign-off on the accuracy of regulatory submissions, how do you know that all the requirements have been adequately met?
The implementation of Solvency II significantly increased the amount of requirements and guidance that companies and individuals have to follow in relation to certifying solvency. This is in addition to increased compliance in other areas over the last number of years, including the Corporate Governance Code in Ireland, policyholder disclosures, etc. A lot of governance tasks that would have developed over time based on industry knowledge and practical sense now have to run the rule against a checklist or a set of requirements.
The very nature of financial reporting is changing to fit this new world. Getting the numbers right is no longer enough, you now also have to evidence how you ensured the figures are accurate and reliable and not misleading. In a Solvency II world the sheer number of requirements (and the very prescriptive and specific nature of some of them) means that the only way to be sure that each and every requirement is covered is to sit down and mark each item off. It is boring, and it doesn’t feel particularly efficient or creative—but it is disciplined and leads to identifying areas for improvement. Going through this value-adding process of identifying and closing gaps in a systematic way clearly is valuable and can help you spot patterns over time. It is also the best way of documenting and demonstrating compliance.
Being able to demonstrate compliance is also a defensive requirement in this new Solvency II world. If an issue arises or a query is raised by a regulator, the drawbacks of ignoring compliance checks quickly become apparent. Your ability to defend what you do now from a challenge in the future depends on your audit trail. So as a parting thought—don’t be afraid to spend some time ticking boxes. It might be more valuable that you think.
The Milliman Solvency II Compliance Assessment Tool distils the Solvency II requirements into easily digestible self-assessment questions and allows insurers to track and evidence their compliance with all the requirements of Solvency II. The tool is already being used by 25 entities in Ireland and the UK. For more information click here.