The South African Insurance Industry Survey 2016 | 89

Risk data aggregation is the action of defining, gathering and processing risk data          –– An opportunity to implement best practice for insurance risk and capital management;
according to the bank’s risk reporting requirements to enable the bank to measure its           or
performance against its risk tolerance/appetite. The objective of BCSB239 is to enhance
risk management and decision-making processes in banks. A SARB Directive was                 –– Possibly, a future South African insurance regulatory requirement as Prudential
published in February 2015 and requires Domestic Systemically Important Banks (D-SIBs)          Regulation falls under the Prudential Authority within SARB under Twin Peaks.
to comply by 1 January 2017.
                                                                                             Lessons learned from BCBS239 for insurance
There are 14 principles under the headings of: Governance and Infrastructure, Risk Data      Applying BCBS239 to an insurance entity provides a unique way of looking at risk and
Aggregation, Risk Reporting Practices and Supervisory Review.                                capital management effectiveness which is not achieved by applying current SAM
                                                                                             regulatory requirements, despite both comprising overlapping objectives.
Risk data aggregation capabilities and risk reporting practices should be subject to
strong governance arrangements.                                                              Practically the starting points are to:

Data architecture and IT infrastructure should fully support risk data aggregation           –– Define how the principles will be applied to the business. This provides an opportunity
capabilities and risk reporting practices during normal times and times of stress/crisis.       to not only define compliance but also additional future states. These could fit into
                                                                                                management’s view of what good looks like or could go further to a target end state
Risk Data Aggregation must be accurate and reliable, complete, timely and adaptable.            for risk, finance or customer centricity and support a transformation programme.

Risk Reporting Practices must be accurate, comprehensive, clear and useful, meet the         –– Define what the risk data, risk aggregation processes and risk reporting in scope are.
needs of recipients (as set by the Board and Senior Management), and be distributed to          For insurance this takes us top-down from: the ERMF, the reporting that goes to Risk
relevant parties ensuring confidentiality is maintained                                         Committees/Forums responsible for managing risks, the Key Risk Indicators in the
                                                                                                reports; to the underlying processes, datasets and systems. This provides an end-to-
In the Banking Sector, BCBS239 has driven significant transformational data and IT              end view of risk and finance reporting from source data to Board level reporting.
remediation activity.
                                                                                             A gap analysis against the current state to the future requirements and planning of a
Applying BCBS239 to insurance?                                                               roadmap to deliver future target states, answers the key questions: What is the state of
Some South African insurers will need to comply with BCBS239 to some extent if they          risk management/reporting and what are the short, medium and long term priorities?
are part of the D-SIB group, as categorised by SARB. This may be viewed as additional
regulatory requirements to comply with that may add to organisational complexity and         Key findings and themes from an exercise probably won’t come as a surprise to an
confusion. Alternatively, it could be seen as providing clarity within insurance regulation  organisation but will uncover gaps where a siloed approach to implementing SAM has
regarding bringing the puzzle pieces of effective risk and capital management together.      been applied, or where SAM guidance may not fully cover requirements i.e. the missing
                                                                                             puzzle pieces.
The principles are all quite sensible and could provide a list of what the CRO needs to
achieve to enable senior management and the Board to meet their obligations under            Key themes – Gaps in BCBS239 compliance
ORSA - not only the letter but also the spirit.                                              It is likely that under the ERMF there will be a Data Policy. But where does this sit?
                                                                                             Typically it will be under IT and the remit of the CIO. Does the Data Policy adequately
The practical application of the principles to insurance versus banking are as different as  cover SAM requirements? Has it been implemented in a way that works for the business
the sectors themselves, but the outcome will be similar i.e. enhanced risk (and capital)     and ensures that risk and capital data is appropriate, complete and accurate?
management and decision-making processes.
                                                                                             In a non-life company, risk data can come from many sources, with some being external
Applying BCBS239 to insurance could be:                                                      presenting the concern of data quality.
–– A regulatory requirement for an insurance company due
                                                                                             These are just a couple of likely themes that may emerge.
   to an organisation’s ownership structure;