EIOPA BoS 14/253 ENGuidelines on system of governanceEIOPA – Westhafen Tower, Westhafenplatz 160327 Frankfurt – GermanyTel. 49 69 951119 20;Fax. 49 69 951119 19; email: [email protected] site: https://eiopa.europa.eu/
Guidelines on system of governance1.Introduction1.1.According to Article 16 of Regulation (EU) 1094/2010 of the EuropeanParliament and of the Council of 24 November 2010 establishing a EuropeanSupervisory Authority (hereinafter “EIOPA Regulation”)1, EIOPA issues theseGuidelines addressed to the supervisory authorities on how to proceed with theapplication of Directive 2009/138/EC of the European Parliament and of theCouncil of 25 November 2009 on the taking up and pursuit of the business ofInsurance and Reinsurance (hereinafter “Solvency II”)2.1.2.These Guidelines are based on Articles 40 to 49, Article 93, Article 132 andArticle 246 of Solvency II and on Articles 258 to Article 275 of CommissionDelegated Regulation (EU) 2015/35 of 10 October 2014 supplementingDirective 2009/138/EC ("Commission Delegated Regulation 2015/35")3.1.3.The requirements on the system of governance are aimed at providing forsound and prudent management of the business of undertakings without undulyrestricting them in choosing their own organisational structure, as long as theyestablish an appropriate segregation of duties.1.4.At least the four functions included in the system of governance, namely therisk management, the compliance, the actuarial and the internal audit function,are considered to be key functions and consequently also important or criticalfunctions. Furthermore, persons are considered to be persons having keyfunctions if they perform functions of specific importance for the undertaking inview of its business and organisation. These additional key functions, if any, areidentified by the undertaking, but the determination of whether such functionsshould be considered key or not may be challenged by the supervisoryauthority.1.5.These Guidelines provide further details on a number of issues regardingremuneration policy, including the composition of the remuneration committee.1.6.The fit and proper requirements apply to all persons who effectively run theundertaking or have other key functions in order to ensure that all the personshaving relevant functions in the undertaking are appropriately qualified. Thescope of the requirements aims to avoid gaps where important persons for theundertaking are not covered, accepting at the same time that there may well beconsiderable overlap between persons from senior management who areconsidered to effectively run the undertaking and other key function holders.1.7.The notification requirements only apply to persons who effectively run theundertaking or are key function holders as opposed to persons who have orperform a key function. In case of outsourcing of a key function or of123OJ L 331, 15.12.2010, p. 48.OJ L 335, 17.12.2009, p. 1.OJ L 12, 17.01.2015, p. 1.2/28
outsourcing of a part of a function where this part is regarded as key, theperson responsible is considered to be the one who has the oversight over theoutsourcing at the undertaking.1.8.The Guidelines on risk management take as a starting point that an adequaterisk management system requires an effective and efficient set of integratedmeasures which must fit into the organisation and operational activity of theundertaking. There is no single risk management system that is appropriate toall undertakings; the system must be tailored to the individual undertaking.1.9.Although the own risk and solvency assessment (hereinafter “ORSA”) is part ofthe risk management system, the corresponding Guidelines are set outseparately.1.10. While internal models are mentioned in connection with the responsibilities ofthe risk management function, on the whole, the Guidelines on the system ofgovernance do not address specific internal model related issues.1.11. Article 132 of Solvency II introduces the 'prudent person principle’ whichincludes provisions on how undertakings should invest their assets. Theabsence of regulatory limits on investments does not mean that undertakingscan take investment decisions without any regard to prudence and to theinterests of policyholders. The requirements of Solvency II and of theCommission Delegated Regulation 2015/35 cover extensively some of the mainaspects of the prudent person principle, such as asset liability management,investment in derivatives, liquidity risk management and concentration riskmanagement. Therefore, the intention of these Guidelines is not to furtherdevelop these aspects, but to focus on the remaining aspects of the prudentperson principle.1.12. With respect to the actuarial function, these Guidelines focus on what should bedone by the actuarial function, rather than how it should be performed. As thepurpose of having the actuarial function is to provide a measure of qualityassurance through expert technical actuarial advice, it is especially important toestablish specific technical guidance on the tasks, responsibilities and otheraspects of the actuarial function.1.13. Currently, the institution of the “responsible/appointed actuary” exists in someMember States. As the “responsible/appointed actuary” is not foreseen bySolvency II, it is up to the supervisory authorities concerned to decide onwhether to keep the “responsible/appointed actuary” or not, and how it relatesto the actuarial function. However, this issue is not addressed under theseGuidelines.1.14. The Guidelines on outsourcing are based on the principle that an undertakinghas to ensure that it remains fully responsible for discharging all its obligationswhen outsourcing any function or activities. In particular, there are strict andrigorous measures an undertaking must meet if it outsources a critical orimportant function or activity. In particular, an undertaking has to give properconsideration to the content of the written agreement with the service provider.3/28
1.15. Intra group outsourcing is not necessarily different from external outsourcing.It may allow for a more flexible selection process, but it should not to be seenas automatically requiring less care and oversight than external outsourcing.1.16. The Guidelines apply to both individual undertakings and mutatis mutandis atgroup level. Additionally, for groups the group specific Guidelines apply.1.17. The implementation of governance requirements at group level should beunderstood as having in place a robust governance system applied to onecoherent economic entity (holistic view) comprising all entities that are part ofthe group.1.18. Solvency II requires that all the insurance and reinsurance undertakings in agroup have in place a risk management system and an internal control systemand that this requirement is applied in a consistent manner in the group.However, from a group risk management and governance perspective, thegroup and the group supervisor have also to take into account the risks arisingfrom other entities that are part of the group.1.19. When the Guidelines refer to entities that are part of the group, in general, theyrefer to insurance and reinsurance undertakings, but also to all the otherentities that are part of the group.1.20. The governance requirements at group level take into account the corporategovernance responsibilities of both, the administrative, management orsupervisory body at group level, that is, the administrative, management orsupervisory body of the participating insurance or reinsurance undertaking, theinsurance holding company or the mixed financial holding company, and theadministrative, management or supervisory body of legal entities that are partof the group.1.21. For the purpose of these Guidelines, the following definitions have beendeveloped: ‘persons who effectively run the undertaking’ cover members of theadministrative, management or supervisory body taking into accountnational law, as well as members of the senior management. The latterincludes persons employed by the undertaking who are responsible for highlevel decision making and for implementing the strategies devised and thepolicies approved by the administrative, management or supervisory body; ‘persons having other key functions’ include all persons performing tasksrelated to a key function; ‘key function holders’ are the persons responsible for a key function asopposed to persons having, carrying out or performing a key function.1.22. If not defined in these Guidelines the terms have the meaning defined in thelegal acts referred to in the introduction.1.23. The Guidelines shall apply from 1 January 2016.4/28
Section 1: General Governance requirementsGuideline 1The administrative, management or supervisory body1.24. The administrative, management or supervisory body (hereinafter “AMSB”)should have appropriate interaction with any committee it establishes as well aswith senior management and with persons having other key functions in theundertaking, proactively requesting relevant information from them andchallenging that information when necessary.1.25. At group level the AMSB of the participating insurance or reinsuranceundertaking, the insurance holding company or the mixed financial holdingcompany should have an appropriate interaction with the AMSB of all entitieswithin the group that have a material impact on the risk profile of the group,requesting information proactively and challenging the decisions in the mattersthat may affect the group.Guideline 2 – Organisational and operational structure1.26. The undertaking should have organisational and operational structures aimed atsupporting the strategic objectives and operations of the undertaking. Suchstructures should be adapted to changes in the strategic objectives, operationsor in the business environment of the undertaking within an appropriate periodof time.1.27. At group level, the AMSB of the participating insurance or reinsuranceundertaking, the insurance holding company or the mixed financial holdingcompany should assess how changes to the group’s structure impact thefinancial position of the affected undertakings of the group and make thenecessary adjustments in a timely manner.1.28. The AMSB of the participating insurance or reinsurance undertaking, theinsurance holding company or the mixed financial holding company should, inorder to take appropriate measures, have an appropriate knowledge of thecorporate organisation of the group, the business model of its different entitiesand the links and relationships between them and the risks arising from thegroup’s structure.Guideline 3 – Significant decisions1.29. The undertaking should ensure that any significant decision of the undertakinginvolves at least two persons who effectively run the undertaking before thedecision is being implemented.Guideline 4Documentation of decisions taken at the level of the AMSB1.30. The undertaking should appropriately document the decisions taken at the levelof the AMSB of the undertaking and how information from the risk managementsystem has been taken into account.5/28
Guideline 5Allocation and segregation of duties and responsibilities1.31. The undertaking should ensure that the duties and responsibilities are allocated,segregated and coordinated in line with the undertaking’s policies and reflectedin descriptions of tasks and responsibilities. The undertaking should ensure thatall the important duties are covered and that unnecessary overlaps are avoided.Effective cooperation between personnel should be fostered.Guideline 6Internal review of the system of governance1.32. The AMSB of the undertaking should determine the scope and frequency of theinternal reviews of the system of governance, taking into account the nature,scale and complexity of the business both at individual and at group level, aswell as the structure of the group.1.33. The undertaking should ensure that the scope, findings and conclusions of thereview are properly documented and reported to its AMSB. Suitable feedbackloops are necessary to ensure follow up actions are undertaken and recorded.Guideline 7 – Policies1.34. The undertaking should align all policies required as part of the system ofgovernance with each other and with its business strategy. Each policy shouldclearly set out at least:a) the goals pursued by the policy;b) the tasks to be performed and the person or role responsible for them;c) the processes and reporting procedures to be applied;d) the obligation of the relevant organisational units to inform the riskmanagement, internal audit, compliance and actuarial functions of any factsrelevant for the performance of their duties.1.35. In the policies that cover the key functions, the undertaking should alsoaddress the position of these functions within the undertaking, their rights andpowers.1.36. The participating insurance or reinsurance undertaking, the insurance holdingcompany or the mixed financial holding company should ensure that thepolicies are implemented consistently across the group. In addition, it ensuresthat the policies of the entities of the group are consistent with the grouppolicies.Guideline 8Contingency plans1.37. The undertaking should identify material risks to be addressed by contingencyplans covering the areas where it considers itself to be vulnerable, and itshould review, update and test these contingency plans on a regular basis.6/28
Section 2: RemunerationGuideline 9Scope of the remuneration policy1.38. In its remuneration policy the undertaking should at least ensure that:a) remuneration awards do not threaten the undertaking’s ability to maintainan adequate capital base;b) remuneration arrangements with service providers do not encourage risktaking that is excessive in view of the undertaking’s risk managementstrategy.1.39. The participating insurance or reinsurance undertaking, the insurance holdingcompany or the mixed financial holding company should adopt and implement aremuneration policy for the whole group. This should take into account thecomplexity and structures of the group in order to establish, develop andimplement a consistent policy for the whole group that is in line with thegroup’s risk management strategies. The policy should be applied to all relevantpersons at group and individual entity level.1.40. The participating insurance or reinsurance undertaking, the insurance holdingcompany or the mixed financial holding company should ensure:a) an overall consistency of the group's remuneration policies by ensuring thatthey comply with the legal requirements of undertakings which are part ofthe group and by verifying their correct application;b) that all undertakings that belong to the group comply with the remunerationrequirements;c) that material risks at group level linked to remuneration issues in the groupentities are managed.Guideline 10Remuneration committee1.41. The undertaking should ensure that the composition of the remunera
the risk management system, the corresponding Guidelines are set out separately. 1.10. While internal models are mentioned in connection with the responsibilities of the risk management function, on the whole, the Guidelines on the system of governance do not address specific internal model related issues. 1.11.