Prudential Regulation Authority Rulebook

3.1

1. (1) A firm must establish, implement, and maintain an effective risk-management system comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report on a continuous basis the risks, at an individual and at an aggregated level, to which it is or could be exposed, and their interdependencies.
2. (1A) The risk-management system must include the following:
   1. (a) a clearly defined risk-management strategy which is consistent with the firm’s overall business strategy. The objectives and key principles of the risk-management strategy, the approved risk tolerance limits and the assignment of responsibilities across all the activities of the firm must be documented;
   2. (b) a clearly defined procedure on the decision-making process;
   3. (c) written policies which effectively ensure the definition and categorisation of the material risks by type to which the firm is exposed, and the approved risk tolerance limits for each type of risk. Such policies must implement the firm’s risk strategy, facilitate control mechanisms and take into account the nature, scope and time periods of the business and the associated risks; and
   4. (d) reporting procedures and processes which ensure that information on the material risks faced by the firm and the effectiveness of the risk-management system are actively monitored and analysed and that appropriate modifications to the system are made where necessary.
3. (2) That risk-management system must:
   
   1. (a) be effective and well integrated into the organisational structure and decision-making processes of the firm with proper consideration of the persons who have key functions;
   2. (b) cover the risks to be included in the calculation of the SCR as set out in Solvency Capital Requirement - General Provisions 3.3(1), as well as the risks which are not, or not fully, included in the calculation thereof; and
   3. (c) cover at least the following areas:
      
      1. (i) underwriting and reserving as set out in 3.1A(1);
      2. (ii) asset-liability management as set out in 3.1A(2);
      3. (iii) investment risk management, in particular derivatives, quasi-derivatives and similar commitments, as set out in 3.1A(3);
      4. (iv) liquidity risk and concentration risk management: as set out in 3.1A(4) and 3.1A(5);
      5. (v) operational risk management as set out in 3.1A(6); and
      6. (vi) reinsurance and other risk-mitigation techniques as set out in 3.1A(7).
4. (2A) A firm must ensure that, where appropriate, the performance of stress tests and scenario analysis with regard to all relevant risks faced by the firm, is included in its risk-management system.
5. (2B) A firm must ensure that it takes into account the information reported as part of the risk-management system in its decision-making process.
6. (3) Where a firm applies the matching adjustment or the volatility adjustment it must set up a liquidity plan projecting the incoming and outgoing cash-flows in relation to the assets and liabilities subject to those adjustments.
7. (4) Where a firm applies the matching adjustment, the firm must manage any risks that are identified in the analysis undertaken in accordance with Matching Adjustment 10.1.

3.1A

A firm must ensure that the areas referred to in 3.1(2)(c) include all of the following policies:

1. (1) Underwriting and reserving:
   1. (a) actions to be taken by the firm to assess and manage the risk of loss or of adverse change in the values of insurance and reinsurance liabilities, resulting from inadequate pricing and provisioning assumptions;
   2. (b) the sufficiency and quality of relevant data to be considered in the underwriting and reserving processes, as set out in Technical Provisions - Further Requirements 4 and their consistency with the standards of sufficiency and quality; and
   3. (c) the adequacy of claims management procedures including the extent to which they cover the overall cycle of claims.
2. (2) Asset-liability management:
   1. (a) the structural mismatch between assets and liabilities and in particular the duration mismatch of those assets and liabilities;
   2. (b) any dependency between risks of different asset and liability classes;
   3. (c) any dependency between the risks of different insurance or reinsurance obligations;
   4. (d) any off-balance sheet exposures of the firm; and
   5. (e) the effect of relevant risk-mitigation techniques on asset-liability management.
3. (3) Investment risk management:
   1. (a) actions to be taken by the firm to ensure that the firm’s investments comply with the Investments Part;
   2. (b) actions to be taken by the firm to ensure that the firm’s investments take into account the nature of the firm’s business, its approved risk tolerance limits, its solvency position, its asset-liability management policy, and its long-term risk exposure;
   3. (c) the firm’s own internal assessment of the credit risk of investment counterparties;
   4. (d) where the firm uses derivatives or any other financial instrument with similar characteristics or effects, the objectives of, and strategy underlying their use and the way in which they facilitate efficient portfolio management or contribute to a reduction of risks, as well as procedures to assess the risk of such financial instruments and the principles of risk-management to be applied to them; and
   5. (e) where appropriate in order to ensure effective risk-management, internal quantitative limits on assets and exposures, including off-balance sheet exposures.
4. (4) Liquidity risk management:
   1. (a) actions to be taken by the firm to take into account both short-term and long-term liquidity risk;
   2. (b) the appropriateness of the composition of the assets in terms of their nature, duration and liquidity in order to meet the firm’s obligations as they fall due; and
   3. (c) a plan to deal with changes in expected cash in-flows and out-flows.
5. (5) Concentration risk management: actions to be taken by the firm to identify relevant sources of concentration risk to ensure that risk concentrations remain within established limits and actions to analyse possible risks of contagion between concentrated exposures.
6. (6) Operational risk management: actions to be taken by the firm to assign clear responsibilities to regularly identify, document and monitor relevant operational risk exposures.
7. (7) Reinsurance and other insurance risk-mitigation techniques:
   1. (a) actions to be taken by the firm to ensure the selection of suitable reinsurance and other risk-mitigation techniques;
   2. (b) actions to be taken by the firm to assess which types of risk-mitigation techniques are appropriate according to the nature of the risks assumed and the capabilities of the firm to manage and control the risks associated with those techniques; and
   3. (c) the firm’s own assessment of the credit risk of the risk-mitigation techniques.
8. (8) Deferred taxes:
   1. (a) actions related to the firm’sselection of methods and assumptions to demonstrate the amount and recoverability of the loss-absorbing capacity of deferred taxes;
   2. (b) involvement of the relevant key functions in the selection and assessment of methods and assumptions to demonstrate the amount and recoverability of the loss-absorbing capacity of deferred taxes, how the outcome of that assessment is reported to the governing body, including the assessment of the underlying assumptions applied for the projection of future taxable profit (for the purposes of recognising and valuing deferred taxes and making an adjustment for the loss-absorbing capacity of deferred taxes), and an explanation of any concerns about those assumptions, which must be carried out in each case by either the actuarial function or the risk-management function; and
   3. (c) risks that the firm is or could be exposed to, taking into account potential future changes in its risk profile due to its business strategy or the economic and financial environment, including operational risks and potential changes in its loss-absorbing capacity of deferred taxes. That assessment must include the overall reliance of the solvency and financial condition on deferred taxes and its consistency with the risk-management policy.

3.2

As regards asset-liability management, a firm must:

1. (1) regularly assess the sensitivity of its technical provisions and eligible own funds to the assumptions underlying the extrapolation of the relevant risk-free interest rate term structure referred to in Technical Provisions 5;
2. (2) where the matching adjustment is applied, regularly assess:
1. (a) the sensitivity of its technical provisions and eligible own funds to the assumptions underlying the calculation of the matching adjustment, including the calculation of the fundamental spread referred to in Matching Adjustment 4, and the possible effect of a forced sale of assets on its eligible own funds;
2. (b) the sensitivity of its technical provisions and eligible own funds to changes in the composition of the assigned portfolio of assets;
3. (c) the impact of a reduction of the matching adjustment to zero;
3. (3) where the volatility adjustment is applied, regularly assess:
1. (a) the sensitivity of its technical provisions and eligible own funds to the assumptions underlying the calculation of the volatility adjustment and the possible effect of a forced sale of assets on its eligible own funds;
2. (b) the impact of a reduction of the volatility adjustment to zero.

3.3

A firm must submit the assessments referred to in 3.2 as part of the information reported annually in accordance with Reporting 2. Where the reduction of the matching adjustment or the volatility adjustment to zero would result in non-compliance with the SCR, the firm must also submit an analysis of the measures it could apply in such a situation to re-establish the level of the eligible own funds covering the SCR or to reduce its risk profile to restore compliance with the SCR.

[Note: Art. 44(2a) of the Solvency II Directive]

3.4

As regards investment risk, a firm must demonstrate that it complies with the Investments Part of the PRA Rulebook.

[Note: Art. 44(3) of the Solvency II Directive]

3.5

1. (1) A firm must provide for a risk-management function that is structured in such a way as to facilitate the implementation of the risk-management system.

[Note: Art. 44(4) of the Solvency II Directive]

1. (2) The risk-management function referred to in 3.5(1) must undertake all of the following tasks:
   1. (a) assisting the governing body and other functions in the effective operation of the risk-management system;
   2. (b) monitoring the risk-management system;
   3. (c) monitoring the general risk profile of the firm as a whole;
   4. (d) detailed reporting on risk exposures and advising the governing body on risk-management matters, including in relation to strategic affairs such as corporate strategy, mergers and acquisitions and major projects and investments; and
   5. (e) identifying and assessing emerging risks.
2. (3) The risk-management function must fulfil all of the following requirements:
   1. (a) fulfil the requirements set out in 3.7;
   2. (b) liaise closely with the users of the outputs of the internal model; and
   3. (c) co-operate closely with the actuarial function referred to in Conditions Governing Business 6.

3.6

In order to avoid overreliance on external credit assessment institutions when it uses external credit rating assessments in the calculation of technical provisions and the SCR, a firm must assess the appropriateness of those external credit rating assessments as part of its risk management by using additional assessments wherever practicably possible in order to avoid any automatic dependence on external assessments.

[Note: Art. 44(4a) of the Solvency II Directive]

3.6A

In addition to the requirements referred to in 3.6, for the purposes of the calculation of technical provisions and the SCR, a firm must ensure that its internal risk-management methodologies do not rely solely or automatically on external credit assessments. Where the calculation of technical provisions or of the SCR is based on external credit assessments by an external credit assessment institution or based on the fact that an exposure is unrated, that does not exempt a firm from additionally considering other relevant information.

3.6B

For the purpose of assessing the appropriateness of external credit rating assessments used in the calculation of technical provisions and the SCR by way of additional assessments referred to in 3.6, a firm must include in its policy on risk management the following:

1. (1) the scope and frequency of the additional assessments;
2. (2) the manner in which the additional assessments are carried out, including the assumptions on which they are based; and
3. (3) the frequency of the regular review of the additional assessments and the conditions requiring an ad hoc review of the additional assessments.

3.6C

A firm must ensure that its risk-management function covers the additional assessments in accordance with the risk management policy referred to in 3.6B and duly considers the results of the additional assessments in the calculation of technical provisions and the SCR.

3.6D

When carrying out the additional assessments referred to in 3.6B, a firm must use information that is derived from reliable sources that are up to date.

3.6E

1. (1) In accordance with 2.4, a firm must at least annually review the additional assessments referred to in 3.6B.
2. (2) A firm must review those additional assessments on an ad hoc basis, whenever any of the conditions under 3.6B(3) take place or if the assumptions on which those assessments are based, are no longer valid.

3.6F

A firm must document the following:

1. (1) the manner in which the additional assessments referred to in 3.6B are carried out and the results of those assessments; and
2. (2) the extent to which the results of those additional assessments are taken into account in the calculation of technical provisions and the SCR.

3.7

A firm that has received internal model permission must ensure that its risk-management function covers the following additional tasks:

1. (1) to design and implement the internal model;
2. (2) to test and validate the internal model;
3. (3) to document the internal model and any subsequent changes made to it;
4. (4) to analyse the performance of the internal model and to produce summary reports thereof; and
5. (5) to inform the governing body about the performance of the internal model, suggesting areas needing improvement, and updating that body on the status of efforts to improve previously identified weaknesses.

[Note: Art. 44(5) of the Solvency II Directive]

3.8

1. (1) A firm must conduct an ORSA as part of its risk-management system.
2. (2) The ORSA must include at least the following:
   
   1. (a) the firm’s overall solvency needs taking into account the specific risk profile, approved risk tolerance limits and the business strategy of the firm;
   2. (b) the compliance, on a continuous basis, with:
      
      1. (i) the SCR and MCR; and
      2. (ii) the requirements regarding technical provisions, as set out in the Technical Provisions and Matching Adjustment Parts; and
   3. (c) the significance with which the risk profile of the firm deviates from the assumptions underlying the SCR.
3. (3) For the purposes of 3.8(2)(a), the firm must:
   1. (a) have in place processes which are proportionate to the nature, scale and complexity of the risks inherent in its business and which enable it to properly identify and assess the risks it faces in the short and long term and to which it is, or could be, exposed; and
   2. (b) demonstrate the methods used in that assessment.
4. (4) Where a firm applies the matching adjustment, the volatility adjustment, the risk-free interest rate transitional measure or the TMTP, it must perform the assessment of compliance with the capital requirements referred to in 3.8(2)(b) with and without taking into account those adjustments and transitional measures.
5. (5) In the case referred to in 3.8(2)(c), when an internal model is used, the assessment must be performed together with the recalibration that transforms the internal risk numbers into the SCR risk measure and calibration.

[Note: Arts. 45(1), (2), (2a), (3) of the Solvency II Directive]

3.8A

1. (1) A firm must ensure that the ORSA referred to in 3.8(1) is forward-looking and includes all of the following elements:
   1. (a) risks the firm is or could be exposed to, taking into account potential future changes in its risk profile due to its business strategy or the economic and financial environment, including operational risks; and
   2. (b) the nature and quality of own funds items or other resources appropriate to cover the risks identified in 3.8A(1)(a).
2. (2)   The elements referred to at 3.8A(1)(a) and (b) must take the following into account:
   1. (a)  the time periods that are relevant for taking into account the risks the firm faces in the long term;
   2. (b)  valuation and recognition bases that are appropriate for the firm's business and risk profile; and
   3. (c)  the firm's internal control and risk-management systems and approved risk tolerance limits.

3.9

A firm must make the ORSA an integral part of its business strategy and take the ORSA into account on an ongoing basis in its strategic decisions.

[Note: Art. 45(4) of the Solvency II Directive]

3.10

A firm must perform the ORSA regularly and without delay following any significant change in its risk profile.

[Note: Art. 45(5) of the Solvency II Directive]

3.11

A firm must inform the PRA of the results of each ORSA in the form of an ORSA report in accordance with Reporting 2.5A(2)(a).

[Note: Art. 45(6) of the Solvency II Directive]

3.12

The ORSA report referred to at 3.11 must include all of the following:

1. (1) the qualitative and quantitative results of the ORSA and the conclusions drawn by the firm from those results;
2. (2) the methods and main assumptions used in the ORSA;
3. (3) the information referred to at 3.8(2)(a) and a comparison between those solvency needs, the regulatory capital requirements and the firm's own funds; and
4. (4) qualitative information on, and where significant deviations have been identified a quantification of, the extent to which quantifiable risks of the firm are not reflected in the calculation of the SCR.