On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this briefing we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.
What is DORA?
Aimed at harmonising national rules around operational resilience and cybersecurity regulation across the EU, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services.
DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats. ICT is defined broadly to include digital and data services provided through ICT systems to one or more internal or external users, on an ongoing basis.
DORA forms part of the EU’s Digital Finance Package (DFP), which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The DFP also includes legislative proposals on markets in cryptoassets (MiCA), distributed ledger technology and a digital finance strategy.
Who will need to comply with DORA?
DORA will apply to financial entities, including:
cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens,
central securities depositories,
managers of alternative investment funds and management companies,
data reporting service providers,
insurance and reinsurance undertakings,
reinsurance intermediaries and ancillary insurance intermediaries,
institutions for occupational retirement pensions,
credit rating agencies,
administrators of critical benchmarks,
crowdfunding service providers and
securitisation repositories (Financial Entities).
DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), acting through their Joint Committee) (ESAs) designate as « critical » for Financial Entities (Critical ICT Third-Party Providers) through a newly established oversight framework.
The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:
the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party provider faced a large-scale operational failure to provide its services;
the systemic character or importance of Financial Entities that rely on the ICT third-party service provider;
the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in relation to critical or important functions of those Financial Entities; and
the degree of substitutability of the ICT third-party service provider.
Any ICT third-party service provider not designated as critical would have the option to voluntarily « opt in » to the oversight. The ESAs may not make a designation in relation to certain excluded categories of ICT third–party service providers, including where Financial Entities are providing ICT services
to other Financial Entities,
to ICT third–party service providers delivering services predominantly to the entities of their own group or
to those providing ICT services solely in one Member State to financial entities that are active only in that Member State.
What are the key obligations?
DORA introduces targeted rules on ICT risk management capability, reporting and testing, in a way which enables Financial Entities to withstand, respond to and recover from ICT incidents. In principle, some of the requirements imposed by DORA, such as for ICT risk management, are already reflected to a certain extent in existing EU guidance (for example, the EBA Guidelines on ICT and security risk management).
The proposals include requirements relating to:
ICT risk management
DORA sets out key principles around internal controls and governance structures. A Financial Entity’s management body will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm’s ICT risk management framework as part of its overall risk management framework. As part of the ICT risk management framework, Financial Entities need to maintain resilient ICT systems, revolving around specific functions in ICT risk management such as
identification of risks,
protection and prevention,
response and recovery and
Reporting of ICT-related incidents
DORA aims to create a consistent incident reporting mechanism, including a management process to detect, manage and notify ICT-related incidents. Incidents deemed « major » would need to be reported to competent authorities within strict time frames, including initial notifications « without delay » on the same day or next day by using mandatory reporting templates. In some cases, communication to service users or customers may be required.
As part of the ICT risk management framework, DORA requires Financial Entities to adopt a robust and comprehensive digital operational resilience testing programme covering ICT tools, systems and processes. Certain Financial Entities must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests.
DORA contains provisions which should facilitate the sharing, among Financial Entities, of cyber threat information and intelligence, including
indicators of compromise,
techniques and procedures,
cyber security alerts and
to strengthen digital operational resilience.
Financial Entities will only be permitted to make use of the services of a third-country Critical ICT Third-Party Provider if such provider establishes a subsidiary in the EU within 12 months following its designation as a Critical ICT Third-Party Provider.
A simplified set of ICT risk framework requirements will apply to certain Financial Entities, including small and non-interconnected investment firms and payment institutions exempted under the Second Payment Services Directive. Such entities will need to comply with a reduced set of requirements under DORA, including the requirement to put in place and maintain a sound and documented risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures.
What should firms be doing now to prepare?
Although it is not expected that DORA will apply to in-scope entities until late 2024 (see below), firms should now begin considering the steps that they will need to take to ensure day one compliance. These include:
Scope out impact
Taking a risk-based approach reflective of their size, nature, scale and the complexity of their services and operations, Financial Entities should begin to scope out the impact of DORA on their business. Firms should carry out a comprehensive gap analysis of their existing ICT-risk management processes against the new requirements introduced by DORA to identify any aspects of their existing processes that will be impacted by the new requirements and develop detailed implementation plans setting out the steps that will need to be taken to effect relevant changes. As part of this, Financial Entities should ensure that they have in place appropriate:
(i) capabilities to enable a strong and effective ICT risk management environment;
(ii) mechanisms and policies for handling all ICT-related incidents and reporting major incidents; and
(iii) policies for the testing of ICT systems, controls and processes and the management of ICT third-party risk.
This process will be iterative as some of the more detailed requirements of DORA will be further developed through technical standards to be published by the ESAs in due course.
Critical ICT Third-Party Providers
Critical ICT Third-Party Providers will be required to have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to Financial Entities. Although DORA provides that the designation mechanism (pursuant to which the ESAs may designate an ICT third-party service provider as « critical ») must not be used until the Commission has adopted a delegated act specifying further details on the criteria to be used in making such an assessment (to be adopted within 18 months after the date on which DORA enters into force), it is expected that certain categories of providers, such as cloud computing service providers who provide ICT services to Financial Entities, will be designated as Critical Third-Party Providers.
Consequently, such providers may wish to begin the task of benchmarking their existing systems, controls and processes against existing guidelines, such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements, to the extent required, to identify areas that require further investment and maturity. They will also need to consider whether new and existing contracts give them sufficient flexibility to comply with new regulatory rules, orders and directions, even if this would otherwise be inconsistent with their contractual obligations. As set out above, certain categories of ICT third-party service providers are expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers and ICT third-party service providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.
Third Country Critical ICT – Third-Party Providers – Subsidiarisation
The EU subsidiarisation requirement that will apply to third country Critical ICT Third-Party Providers is one that will necessitate early engagement between such providers and the Financial Entities that they serve. While it is not clear what role the EU subsidiary must play in the provision of services to the relevant Financial Entity (e.g. whether the provider must act as contractual counterparty), Recital 58 of DORA indicates that the requirement to set up a subsidiary in the EU does not prevent ICT services and related technical support from being provided from facilities and infrastructures located outside the EU. Nevertheless, where a relevant third country ICT third-party provider that is likely to be designated as « critical » indicates that it does not intend to establish a subsidiary in the EU, even following a designation as such by the ESAs, Financial Entities may wish to commence the process of identifying alternative providers, since they will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider that fails to establish a subsidiary in the EU within 12 months following its designation as critical.
Companies that consider they are likely to be classified as Critical ICT Third-Party Providers that do not already have an establishment or subsidiary located in the EU should begin to consider now which Member State would be most appropriate to establish a new subsidiary in, taking into account their business operations and the various applicable legal requirements.
As noted above, DORA sets out core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning the ability of Financial Entities to monitor effectively all risk emerging at ICT third-party level. Some contractual requirements set out in DORA are mandatory and will need to be included in contracts, if not already reflected. Others take the form of principles and recommendations and may require negotiation between the relevant parties. Early mapping and engagement in this respect will be important. Additionally, parties may wish to consider benchmarking their existing contractual arrangements against relevant requirements set out in DORA, as well as existing standard contractual clauses developed by EU institutions.
For example, Recital 55 of DORA notes that « the voluntary use of contractual clauses developed by the Commission for cloud computing services may provide comfort for Financial Entities and ICT third-party providers by enhancing the level of legal certainty on the use of cloud computing services in full alignment with requirements and expectations set out by the financial services regulation ».
As the industry awaits more detailed technical standards to be developed and published by the relevant ESAs, as well as DORA compromise/Level 1 text, in-scope entities may consider using existing guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements as useful benchmarking tools in preparation for day one compliance.
How does DORA interact with NIS2?
The second iteration of the Security of Network and Information Systems Directive (NIS2) aims to strengthen security requirements and provide further harmonisation of Member States’ cybersecurity laws, replacing the original NIS Directive of 2016 (NIS1). Its timeline is similar to that for DORA, with a provisional agreement among EU institutions reached in May 2022, and its adoption confirmed in a European Parliament plenary session vote on 10 November 2022. NIS2 significantly extends the scope of NIS1 by adding new sectors, including « digital providers » such as social media platforms and online marketplaces, for example, but importantly also introduces uniform size criteria for assessing whether certain financial institutions (and other entities) fall within its scope. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing, so there is some overlap in coverage with DORA.
However, this has been addressed during the legislative process to ensure that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with when operating within the EU. NIS2 specifically provides that any overlap will be addressed by DORA being considered as lex specialis (ie a more specific law that will override the more general NIS2 provisions).
How does DORA compare with international developments?
The introduction of DORA in the EU reflects a global focus on operational resilience and strengthening cybersecurity standards in the wake of ever-increasing digitalisation of financial services and increasingly sophisticated cyber incidents. For example, in March 2021, the Basel Committee on Banking Supervision issued its Principles for operational resilience, as well as an updated set of Principles for the sound management of operational risk (PSMOR), which aim to make banks better able to withstand, adapt to and recover from severe adverse events.
In October 2022, following a G20 request, the Financial Stability Board (FSB) published a consultation on Achieving Greater Convergence in Cyber Incident Reporting, recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability and with a view to ensuring that financial institutions operating across borders are not subject to multiple conflicting regimes. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.
Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill (the UK Bill) which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. HM Treasury would have powers to designate service suppliers as ‘critical’ and the UK regulators would have new powers to directly oversee designated suppliers, which would be subject to new minimum resilience standards. While the proposals have the same ambitions as, and there are similarities with, the requirements under DORA, there are a number of key differences between them.
For example, the proposed enforcement regime under DORA for Critical ICT Third-Party Providers is very different from the equivalent regime proposed by the UK Bill. Under DORA, the ESAs will be designated as « Lead Overseers », but with the power only to make ‘recommendations’ to Critical ICT Third-Party Providers, in contrast to the ability for UK regulators to make rules applying to, or to give directions to, critical third parties subject to the UK Bill, with the ability to issue sanctions for non-compliance. Under DORA, non-compliance by a Critical ICT Third-Party Provider with recommendations gives the Lead Overseer the ability to notify and publicise such non-compliance and « as a last resort » the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.
This means that the liability and contractual issues for Critical ICT Third-Party Providers providing services in the EU will be different than for those providing services in the UK, and that contracts for each will need to be considered and negotiated carefully.
Next steps and legislative timeline
Following adoption of DORA by the European Parliament plenary session on 10 November 2022, the regulation is now passing through the final technical stages of the formal procedure for European legislation. The text still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.
DORA will come into effect on the twentieth day following the day on which it is published in the Official Journal. It will apply, with direct effect, 24 months from the date on which it enters into force. Therefore, it is expected that DORA will apply to in-scope firms from late 2024 or early 2025 at the latest.
Initiating your company’s commitment to reporting its environmental, social, and governance (ESG) metrics can prove a daunting task. But keep in mind: It’s a marathon, not a sprint.
“You don’t have to be perfect on Day 1, Your suppliers and stakeholders want to see progress.”
If your company is at this stage—perhaps bracing for the climate-related disclosure rule proposal put forward by the Securities and Exchange Commission (SEC) in March—a roadmap for getting your ESG efforts off the ground could look like this:
Transparency and annual reporting: “Start by identifying all the things your company is doing on ESG and build a baseline, that will give you an indication of how mature your program is today. Most likely you’re doing a lot already.”
Peer benchmarking: Where are your competitors in their ESG journeys? Have any of them experienced public success or failure you can learn from? From this exercise, your company can set realistic expectations of where it wants to be to keep pace with the competitive landscape.
Materiality assessment: “Understanding the materiality drivers for your industry or industries, depending on how your company is structured, is helpful”. The Sustainability Accounting Standards Board (SASB) offers a materiality map that provides guidance for 77 different industries. “Having something at the bottom doesn’t mean it’s not important and you stop doing it, but it helps you focus on the top tier, those are the items you need to set public goals on.” External materiality assessments also add credibility. »
Strategy framework: You know what your peers are doing, you know what’s important to the company and its investors— now is when you build out your strategy. “What does ESG mean for us?” “What are we trying to achieve?” ESG means different things for different companies, but “there’s also some fundamental truths about what ESG is and how and who ESG is serving—the stakeholders involved in your business.” Particularly for compliance professionals, serving shareholders is a natural strategic goal to build around.
Goal setting/resetting: During the peer benchmarking stage, you might note some of the milestones your competitors are striving toward. Their goals can help shape your own. “Do you want to be with the group where you’re just managing expectations, or do you want to compete or lead? It doesn’t happen overnight; you have to go through it step-by-step and build your goals for the long term to move the needle on this. If you’re setting carbon-neutral or net-zero deadlines, be realistic. “Put something out there that is achievable but not too easy”.
Implementing and measuring: This is the most important step because “it’s not in your hands anymore, You have to depend on your cross-functional teams … they will be the ones doing the work and implementing the initiatives.” Legal, human resources, operations, and other departments each have a part to play. You set up a dashboard to track how it was progressing on its key performance indicators on a quarterly basis. “We didn’t wait until the annual report to find out how we did”.
Improvement and adjustment: ESG reporting is a cycle, as evidenced by the arrow in the roadmap image. Going through these steps each year will help ensure a business is tailoring its objectives to continue to serve the most important piece of the puzzle. “This (ESG) is about the people, this is not about the processes, procedures, or requirements. It’s about the people—inspiring the people, collaborating cross-functionally, getting that momentum. That will help you move a lot faster.”
ESG: Adapting businesses should look beyond what is financially material
Environmental, as many would expect, covered climate-related elements, including carbon, energy, water, waste, and circularity. Diversity and inclusion, workplace safety, data privacy and protection, and customers and community fell under social. Governance claimed ethical business practices, board structure, disclosures and reporting, and executive compensation.
While ESG is comprised of just three words, it represents a lot more, encompassing many aspects of how businesses can operate efficiently, ethically, and more financially sound. “Sometimes you have to take out some of the buzzwords that cause people to lock in to certain thinking and open it up. One way to do that is to call it strategic nonfinancial materiality.”
It’s important to think of sustainability initiatives in terms of strategic nonfinancial materiality when it comes to the “tragedy of the commons,” a popular term in environmental science. “When we come across something we can use with no associated cost, we historically 100 percent of the time overuse and mismanage it. If something is common, we manage to mess it up.”
Examples of this include the atmosphere, oceans, and low earth orbit. Prudent corporations can innovate their thinking by getting ahead of an issue and “band[ing] together with industry [or] with other people who use those commons.” One way to think about this, is the term “double materiality,” which is often associated with the European Union’s Nonfinancial Reporting Directive. Double materiality calls for companies to consider their impact on society and the environment in addition to how sustainability issues affect the company.
“In the United States, we’re very well focused on financial materiality.” Also worth considering is “dynamic materiality,” a term utilized by the World Economic Forum that encourages companies to track certain factors year-over-year that might not be material now but could be in the future as the environment changes rapidly.
“These are dynamically material risks. You may still not know anything about them, but it is important to track them potentially as emerging risks, so, innovate how you look at not just what’s a snapshot material now but what are those things that are likely to be material soon.”
Regarding social, it’s suggested to contemplate news stories over the last few years that have changed how we deal with employees as an example. “They didn’t happen in a continuity, one day you weren’t talking about it, the next day it was on the front page and didn’t go off. Those are dynamically material things that drastically change, and you should be able to look for them.”
The Securities and Exchange Commission’s (SEC) proposed climate-related disclosure rule released in March puts forward a similar process, asking companies “to report items that aren’t financially material but are risks nonetheless. This is new, and it’s going to affect the assurance functions,” including
enterprise risk management,
and trade compliance.
“Assurance functions rely on governance and rules, and as we do this, we are going to expand that governance. When you do, you can expand assurance.”
Under the SEC’s proposal, assurance—first limited, then reasonable—is required for Scope 1 and 2 greenhouse gas emissions disclosures outside of the financial statements for accelerated and large accelerated filers. There is no initial attestation requirement for Scope 3 disclosures, which are also subject to a safe harbor provision for affected registrants.
Regarding internal audit, “Maybe we can apply more automation [and] more data analytics to those areas. There is going to be more governance and rigor applied. Maybe more of our creative aspects and our more human and complex audits can go to other places because if greenhouse gas emissions are going to be extremely rigorized, similar to financials, maybe that can be a robotic process automation.”
Hidden Opportunities of Aligning Ethics and Compliance with ESG
ESG is rapidly evolving from grass-roots activism into a top down, board-driven mandate. It’s no mystery why, given that ESG assets make up a third of total global assets under management and are expected to surpass $50 trillion by 2025. ESG investing (also known as “impact investing”) was born of a growing awareness that long-term financial performance of businesses is inextricably intertwined with environmental, social, and governance factors. It has gained considerable traction as research suggests that companies with high ESG ratings tend to outperform their counterparts.
As a result, companies are moving beyond “check the box” ESG disclosures, to instead build out substantive ESG programs, identify appropriate quantitative and qualitative metrics to measure and validate their ESG initiatives, and distinguish themselves with “AAA” ESG ratings. Corporations are devoting significant capital, time, and resources to embedding environmental, social and governance factors into their business strategies and preparing annual ESG disclosures. Because ethics and compliance is so tightly woven into the social and governance elements of ESG, ethics and compliance officers are uniquely poised to support this broader effort in a number of ways.
THE OVERLAP BETWEEN E&C AND ESG
While ESG is strongly associated with environmental initiatives such as lowering carbon footprint, social and governance factors have achieved equal prominence. “Social” and “governance” define a company’s corporate citizen persona—or how it behaves—which is the heart and soul of ethics and compliance and, increasingly, a key factor in market valuation.
Ensuring a company behaves responsibly and ethically is both the mission of a Chief Ethics and Compliance Officer and the purpose of an ESG program. CECOs therefore have oversight of much of the infrastructure that supports social responsibility and prevents corruption, such as
Code of Conduct and policies,
workplace health and safety,
data protection and privacy,
whistleblower hotlines, workforce training,
and prevention of fraud, bribery and money laundering.
Ethics and compliance is mission critical because it is the reputational guardian of the company, the first line of defense against ethical fading. Thanks in large part to the lightning speed of today’s news cycle and the instantaneous impact of social media, corporate malfeasance scandals can have massive immediate impact on reputation and by extension valuation. It’s not unusual for news of bad corporate behavior to be accompanied by an immediate 20-30% drop in market cap. For a $3 billion company, that can equate to a one-day loss of $1 billion.
WHY SHOULD CECOS ALIGN WITH ESG?
It’s early days for ESG, relatively speaking, and best practices for building, quantifying, and disclosing ESG programs are rapidly evolving. As companies move towards transparency and begin walking the talk by aligning corporate culture to the stated ESG values, the historical function of E&C rolls up naturally to support these efforts. Opportunities abound for ethics and compliance leaders who join the challenge to improve their company’s ESG report card:
Board visibility: Boards have come to recognize that robust ESG programs not only attract investors, but also offer a framework to mitigate business risk and future proof the company. Boards are now dedicating agenda time to embedding ESG into company strategy and risk mitigation. As a result, the head or coordinator of a company’s ESG program often reports to the board.
More funding: A traditional ethics and compliance framework is often insufficient to meet the broader mandate of ESG. The top accounting and consulting firms are investing in building capability and capacity for ESG advisory services, and CECOs should be doing likewise internally. By tying ethics and compliance programming to ESG, E&C officers can tap into a bigger budget pool.
Organizational clout: ESG planning and disclosure requires holistic engagement across the organization. By ensuring ethics and compliance is a strong complement of, and contributor to, the high-visibility high-value ESG initiative, CECOs can break organizational silos and increase the intrinsic value of ethics and compliance (and their roles) in the process.
The development of decision-relevant climate change risk assessment with a holistic approach requires an exploratory, iterative and adaptive process that will take time. A holistic approach considers physical, transition and litigation risks and their interactions at different time horizons in the short and long term. It considers both sides of the balance sheet, as well as interactions across business functions and decision feedback loops to assess the materiality of risks and develop potential actions to address them. Importantly, some re/insurers that have advanced further in this iterative process have found it beneficial to anchor the assessment in overarching decision areas that link both sides of the balance sheet. While re/insurers in all business lines have started exploring the materiality of physical and transition climate change risks on each side of the balance sheet, for life & health re/insurers in particular, more research is required to assess the attributions and materiality of climate change to their underwriting exposures – including longevity, mortality and morbidity –over various time horizons. As research in this field progresses, the ability both to assess life & health re/insurer liability exposures and perform more holistic assessments will improve.
An analysis of regulatory developments since June 2021 and a survey conducted by The Geneva Association reveal that the regulatory and supervisory priorities and approaches are increasingly aligned with earlier GA task force recommendations related to climate change risk assessment and scenario analysis.
Responses from 11 regulatory bodies to a Geneva Association Survey shed light on the regulatory objectives and priorities that can help guide climate change risk assessment exercises within and across jurisdictions. Our analysis has revealed the top four regulatory priorities:
the insurer’s financial health,
corporate governance and strategy,
the insurability/affordability of insurance solutions,
raising risk awareness,
addressing data/risk assessment services and environmental stewardship.
Company boards and executive management need to consider the following four key issues to drive the process towards a more holistic approach that would produce decision-useful information:
Board oversight and executive management buy-in for company-wide engagement, along with appropriate resource allocation to build these capabilities, are important;
The coordination and execution of climate change risk assessment require an internally established, company-specific mandate with clear accountability;
Central to this process is the development of overarching decision-relevant questions for the board and the C-suite (a list based on the GA survey of regulatory and standard-setting bodies is included);
Company-relevant business use cases should be designed and utilised to guide the iterations of climate change risk assessment.
A 10-step template provided in this report can help companies design business use cases to frame the analysis, engage experts from relevant business functions across the balance sheet, and mine and utilise the same data and tools across the company. It is important to start simple by exploring the impacts of each climate change risk type, on each side of the balance sheet, considering short- and long-term time horizons. With each iteration, companies can build up the level of complexity by assessing the interactions of physical, transition and litigation risks and exploring how these risks are manifested within and across business functions. Of note:
This process should consider internal business functions and their interactions as well as external drivers that impact issues relevant to the business use case, by risk type and time horizon;
Materiality analysis is at the heart of climate change risk assessment, allowing focus on the areas most impacted by climate change risks and identifying priorities for a deeper dive and resource allocation;
As part of the design and implementation of business use cases, the company should seek to identify metrics to measure and monitor the risks and track the impacts of the measures taken to manage them;
This resource-intensive process will take time and present challenges that will need to be addressed, ranging from overtime and the availability of data for the given region to internal experience and expertise, and the availability of best practices. In this report, we offer three examples of business use cases to demonstrate these points.
The use of forward-looking scenario analysis needs to be further explored, depending on the issue being considered. Scenario analysis is a tool for conducting a forward-looking assessment of risks and opportunities, where the company can systematically explore individual or combined factors and make strategic decisions in the face of significant uncertainties. Scenario analysis may be used for a range of applications, for example:
Testing the resilience of a company’s business model to climate change-related risks;
Assessing the implications of possible actions a company can take;
Stress-testing the company’s business model under extremely adverse conditions.
Through strong industry collaboration, re/insurers should conduct an analysis of existing data challenges, gaps and needs, and define priority areas and requirements for the future development of tools. More work is required by re/insurers and regulatory bodies to identify gaps in data, to converge on best practices and build a robust toolbox for forward-looking climate change risk analyses. Since 2021, several organisations have offered an assessment of the gaps in climate change risk data and tools in the current landscape, with a focus on certain applications or segments in the financial sector. The journey towards a holistic approach could lead re/insurers to address such gaps over time, not least in emissions data, asset locations and supply chain data. Note that life & health re/insurers still face challenges when it comes to identifying the types of data that would allow the extraction of climate change attribution and liability exposures.
Importantly, company leadership should seek to harmonise and align their net-zero target-setting activities using ‘inside-out’ analysis with efforts to assess the resilience of their business model to climate change risks using ’outside-in’ approaches for developing viable targets, transition strategy and plans. In fact, a growing number of critics are calling out the misalignment of net-zero pledges with what the companies can actually deliver and the possibility of greenwashing, which could lead to potential reputational and climate litigation risks or even regulatory action.
Robust intra- and inter-sectoral collaboration is the only way to expedite the development and convergence of good practices, meaningful baseline requirements for decision-useful climate change risk assessments and disclosures that would allow for cross-company comparisons. To this end, we acknowledge and deeply appreciate the growing proactive collaboration and engagement across the insurance industry and with key regulatory and standard-setting bodies in the financial sector.
In 2020, The Geneva Association (GA) launched its task force on climate change risk assessment with the aim of advancing and accelerating the development of holistic methodologies and tools for conducting forward-looking climate change risk assessment. These efforts have intended not only to support primary insurance and reinsurance companies and regulatory bodies with innovation in this area, but also to demonstrate the benefits of industry-level collaboration to help expedite the development and convergence of best practices.
In its first two reports, the GA task force highlighted the complexities associated with the development of forward-looking climate change risk assessment methodologies and tools. It stressed the need to develop methodologies for holistic climate change risk modelling and scenario analysis for both sides of the balance sheet, using a combination of qualitative and quantitative approaches. The GA task force also highlighted the implications of physical and transition risks for the insurance industry, with a focus on the challenges of quantitative scenario analysis approaches. The conclusion was that the prescriptive quantitative regulatory exercises to date, which were conducted to raise awareness, have outlived their purpose. More specifically, these resource-intensive exercises do not provide decision-useful information given the significant uncertainties associated with the transition to a carbon-neutral economy (e.g. uncertainties associated with public policy, market and technology risks). Finally, the GA task force called on regulatory bodies to clarify their regulatory objectives and explain how their exercises would deliver decision-useful information. It also stressed the need for convergence on baseline regulatory requirements for analysis and reporting across jurisdictions. To this end, it encouraged stronger collaboration between regulatory bodies within and across jurisdictions, as well as with the insurance industry, to enable the sharing of lessons learned and access to broader expertise, in the aim of expediting the convergence of best practices.
Since June 2021, there have been several developments on the policy, technology, regulatory and scientific fronts, with implications for companies’ climate change risk assessment.
The evolving regulatory landscape for climate change risk assessment
Between June 2021 and May 2022, certain regulators launched new initiatives and published guidelines. A synthesis of these developments reveals the need for regulatory bodies to:
Acknowledge the limitations of current tools, models and data for long-term quantitative scenario analysis (as evidence, the 2021 Bank of England Climate Biennial Exploratory Scenarios experiment concluded that projections of climate change losses are uncertain; the view that scenario analysis is still in its infancy, with notable data gaps; and the increasing recognition among some regulatory bodies that quantitative approaches can and should be complemented with qualitative assessments, especially over a longer time horizon);
Stress the need to consider multiple scenarios representing different plausible pathways of transition or physical risks, and expand benchmark scenarios (typically NGFS) with sectoral and geographical granularity considerations;
Recognise the principle of proportionality, with expectations linked to the size and organisational complexity of the company;
Stress the importance of materiality in supervisory expectations for quantitative assessments as well as robust governance of climate change risks, with a need for transparency, particularly in relation to re/insurer investments in carbon-intensive sectors.
As of July 2022, there are still variations in the approaches used by regulators. Regulators agree, however, that this could impede comparisons across companies and jurisdictions as well as the ability to assess broader systemic economic and social impacts. Importantly, the International Association of Insurance Supervisors (IAIS) is working on promoting a globally consistent supervisory response to climate change, with a focus on three areas:
and scenario analysis,
by providing guidance to regulatory bodies. The Financial Stability Board (FSB) is also issuing guidance on supervisory and regulatory approaches across borders and sectors to address market fragmentation and potential sources of systemic risk. Finally, the development of a global baseline for sustainability reporting standards with a focus on climate change, by the ISSB, aims to translate them further into harmonised inter-jurisdictional standards.
Strategic importance of aligning inside-out and outside-in climate risk assessment approaches
Companies are conducting two types of climate risk assessment:
Inside-out analysis: This includes assessing the impact of the company’s actions on the climate by setting their climate targets (e.g. net zero targets) based on a variety of science-based approaches, such as those introduced by the UN Net-Zero Asset Owner Alliance (UN NZAOA) and the Science-Based Targets initiative (SBTi). For example, the UN-convened Net-Zero Alliances uses 1.5°C-compatible pathways, which may be far more ambitious than what companies and the real economy can deliver. In fact, the UN NZAOA has warned that the global economy does not move as is required by science, leading to a widening gap between companies’ climate targets and the real economy. Net-zero targets need to take this widening gap into account as this misalignment could lead to other financial and non-financial risks for the company, including reputation risk. This is further exacerbated by the fact that climate science is still evolving.
Outside-in analysis: This involves assessing the resilience of the company’s business model to climate change risks, which is the focus of this report. It is important to emphasise that the development of the company’s strategy, transition plan and related actions cannot be done solely using inside-out analysis. Conducting outside-in analysis is critical, enabling the company to assess not only the impacts of climate change risks and their interactions, but also the implications of the possible range of activities under different scenarios on the firm’s business model. Of note, the inside-out view puts greater emphasis on ‘impact’ – which has a clear political component and should be grounded in materiality assumptions, which is the central objective of the outside-in analysis.
In summary, companies should seek to harmonise and align inside-out with outside-in climate change risk assessment efforts (Figure 1). In fact, a growing number of critics are calling out the misalignment of net-zero pledges by the financial sector, in light of their already committed investments in carbon-intensive sectors for the years to come. Critics are also raising the possibility of greenwashing, which could lead to potential climate litigation risk. Regarding the latter, some regulators are developing KPIs to assess and monitor the existence and level of greenwashing as part of their efforts to incorporate climate change factors into their regulatory mandate.
Global disruptions and an increasingly complex macroeconomic outlook will be key elements of the strategic environment for the foreseeable future. For leaders, the only certainty is that waiting for clarity is a losing move. The best organizations know how to turn uncertainty into opportunity. Their playbook relies on two critical elements:
a shared and clear view of the world and the strategic challenges/opportunities it presents
and a resilient and adaptable plan to win.
A view of the world
Today’s global disruptions (e.g., geopolitical tensions, supply chain and economic headwinds (e.g., soaring inflation, rising interest rates, decelerating growth, and currency fluctuations)) have created a complex, once in a generation, competitive environment with significant variations across geographic areas and sectors.
Navigating this unprecedented complexity requires business leaders to develop a dynamic perspective not only on the most likely scenarios for how their operating and economic environments will evolve, but also on the distinct opportunities and risks these scenarios present for their organizations.
This research shows that “winners” in economic uncertainty do not just sit back and wait for recovery instead, they are proactive and turn ambiguity into opportunity.
A plan to win
There is no “one size fits all” solution to today’s complex strategic challenges. But this research suggests that the best companies do two things well in crafting their unique plans to win:
First, they have a clear understanding of their strategic starting point that takes into account nuanced and deaveraged perspectives on the economic and operational stability of the markets in which they operate as well as on their own organizations’ financial strength (e.g., profit volatility, free cash flow to debt ratio) ultimately falling into four high level starting point archetypes
And second, they embed a “dynamic strategy” mindset into their planning, comprising three elements:
Sensing: Observing trends, defining and monitoring critical uncertainties, and outlining a set of scenarios against which to assess business decisions
Adapting: Building operational and financial stability by shaping and reshaping strategies based on market trends and data driven forecasts
Thriving: Moving rapidly from assessment to action to seize growth opportunities and strengthen competitive advantage
Increasing uncertainty driven by a set of global disruptions and exacerbated by macroeconomic headwinds needs to be met head on.
Different sectors are affected differently by macro uncertainties
Sectors like agriculture are typically less vulnerable to business cycle shifts, while other sectors (e.g., media, tech, fashion) tend to be more affected. But this varies by recession depending on drivers.
Some sectors (e.g., retail), which were less vulnerable in the early 2000s recessions, are showing greater vulnerability in the current environment.
With the current disruptions and uncertainties, it is imperative for business leaders to reevaluate:
The stability of their portfolio against economic downturns & market disruption
The internal financial stability to cope with uncertainty
Each business context is distinct, but four starting-point archetypes can help leaders understand the moves most relevant for their organizations.
Take 3 key steps to navigate uncertainty and win in a downturn:
Sensing macroeconomic and disruptive trends to shape (and reshape) future scenarios that guide strategic decisions
Adapting business and functional strategies in response to new insights and to market, economic, and competitive developments
Thriving by building competitive advantage to turn adversity into opportunity
Actions should be based on the specific business context.
EXECUTIVE SUMMARY AND POLICY ACTIONS The recovery associated with the receding pandemic has slowed as a result of the Russian aggression in Ukraine. It has contributed to high inflation and is damaging the economic outlook, which led to increased financial market risks across the board. The economic and financial impact of the invasion has been felt globally, alongside enormous humanitarian consequences. Prices in energy and commodity markets have risen to record highs. Production and logistics costs have risen and household purchasing power has weakened. After a long period characterized by very low inflation and interest rates, policy rates are being raised in response to high inflation. The resulting higher financing costs and lower economic growth may put pressure on the government, and on corporate and household debt refinancing. It will likely also have negative impact on the credit quality of financial institution loan portfolios. Financial institutions are moreover faced with increased operational challenges associated with heightened cyber risks and the implementation of sanctions against Russia. The financial system has to date been resilient despite the increasing political and economic uncertainty.
In light of the above risks and uncertainties, the Joint Committee advises national competent authorities, financial institutions and market participants to take the following policy actions:
Financial institutions and supervisors should continue to be prepared for a deterioration in asset quality in the financial sector. In light of persistent risks that have been amplified by the Russian invasion and a deteriorating macroeconomic outlook, combined with a build-up of medium-term risks with high uncertainty, supervisors should continue to closely monitor asset quality, including in real estate lending, in assets that have benefitted from previous support measures related to the pandemic, and in assets that are particularly vulnerable to rising inflation and to high energy- and commodity prices.
The impact on financial institutions and market participants more broadly from further increases in policy rates and the potential for sudden increases in risk premia should be closely monitored. Inflationary pressures coupled with uncertainty on risk premia adjustment raise concerns over potential further market adjustments. Rising interest rates and yields are expected to improve the earnings outlook for banks given their interest rate sensitivity. They could also reduce the valuation of fixed income assets, and result in higher funding costs and operating costs, which might affect highly indebted borrowers’ abilities to service their loans. Credit risks related to the corporate and banking sector also remain a primary concern for insurers and for the credit quality of bond funds. High market volatility stemming from the above economic and geopolitical situation could also raise short-term concerns and disruptions for market infrastructures.
Financial institutions and supervisors should be aware and closely monitor the impact of inflation risks. The economic consequences of the Russian aggression mainly channel through energy and commodity markets, trade restrictions due to sanctions and the possible fragmentation of the global economy. Financial fragmentation, including fragmentation of funding costs, could threaten financial stability and put pressure on price stability. Inflation is not only relevant from a risk perspective, but is expected to reflect also on the actual benefits and pensions, inflationary trends should be taken into account in the product testing, product monitoring and product review phases. Financial institutions and regulators should make extra efforts to ensure investor awareness on the effects of inflation on real returns of assets, and how these can vary across different types of assets.
Supervisors should continue to monitor risks to retail investors some of whom buy assets, in particular crypto-assets and related products, without fully realizing the high risks involved. Some retail investors may not be fully aware of the long-term effects of rising inflation on their assets and purchasing power. In the context of growing retail participation and significant volatility in crypto-assets and related products, retail investors should be aware of the risks stemming from these. The recent events and subsequent sell-off of crypto assets raises concerns on the appropriate assessment of the risks and the developments of this market segment going forward and requires particular attention of financial institutions and supervisors. Where disclosures are ineffective, these risks are compounded.
Financial institutions and supervisors should continue to carefully manage environmental related risks and cyber risks. They should ensure that appropriate technologies and adequate control frameworks are in place to address threats to information security and business continuity, including risks stemming from increasingly sophisticated cyber-attacks.
1 MARKET DEVELOPMENTS The Russian invasion and inflationary pressures have significantly impacted the risk environment of EU securities markets. Recoveries in most equity indices from the beginning of 2022 came to a halt, following the March 2020 market stress, with global equity indices broadly declining (in 1H22: Europe -18%, China -8%, US -20%). This was mostly linked to energy costs and lower trade flows due to the Russian invasion, supply-side bottlenecks linked to the continued effects of the COVID-19 pandemic and the tightening of credit conditions for firms. At the same time, volatility as measured by the European volatility index VSTOXX rose in early March (41%) to about half the levels of March 2020. In Europe, more energy intensive sectors, such as consumer discretionary (-31% YTD), industrials (-29%), and technology (-36%), saw larger price falls than other sectors. Price-earnings ratios tumbled, though they remained above 10-year historical averages (at 3% EU and 9% US respectively). The decreases partly reflect lower earnings expectations for the future, due to the potential long term effects of the pandemic and the impacts of higher long-term interest rates.
Fixed income markets were characterized by investor expectations of slower economic growth, higher inflation and a less accommodating interest rate environment. Despite a short-lived fall right after the invasion, EU sovereign bond yields rose in 1H22 to levels unseen since 2016 with significant news-flow related volatility (IT +213bps, GR +230bps, DE +150bps). As of end-June, spreads to the Bund also widened, e.g. for Italy (1.9%, +70bps) and Spain (1.1%, +39bps). Corporate bond markets showed sensitivity to the evolving outlook, recording significant selloffs across all rating categories and reduced liquidity. Investment grade (IG) bonds experienced a peak-to-trough fall of 15% (August 2021 to May 2022), nearly twice that of the pandemic, and declined by 12% in the year to June. High-yield (HY) bonds performed slightly worse (‑15%) but their peak-tot rough losses were lower than during the pandemic. Credit spreads widened on concerns that the slowdown could weigh on firms’ debt capacity. Significant spreads upswings were also seen in February with the invasion, and in May and June as rates hikes occurred in the US and were announced for the EA.
The crypto-asset market experienced a continued sell-off in 2Q22 in line with the decline of traditional financial assets (especially tech equities) with which Bitcoin (BTC) shares a close (40%) correlation. The collapse of crypto-asset TerraUSD in May and the pausing of customer withdrawals by crypto-asset Celsius in June, added to the shift in investor sentiment away from these assets, sending BTC price to an 18-month low. In May, the largest algorithmic stablecoin (third largest overall), TerraUSD, failed to maintain its peg to the USD after its underlying decentralised finance (DeFi) protocol, Anchor, suffered a confidence run on its deposits. The combination of the sharp fall in crypto-asset prices, and the demise of the Anchor protocol linked to TerraUSD, caused the total value of assets ‘locked’ (deposited) in DeFi smart contracts to fall from over EUR 186bn at the start of May to EUR 62bn by June. In another development in June, centralized finance (CeFi) lending platform, Celsius, halted customer withdrawals of deposits, signaling that it had liquidity issues or a deeper insolvency problem. This coincided with a 21% fall in the Bitcoin price and led Binance to temporarily suspend Bitcoin withdrawals from its exchange. The Celsius token price had fallen by 94% since the start of 2022 with market speculation that it could sell a sizeable stake in crypto asset Ethereum to avoid collapse.
The turmoil triggered by the Russian invasion also affected environmental, social and governance (ESG) markets. In 1Q22, EU ESG equity funds had net outflows of EUR 5bn, compared with average inflows of EUR 11bn per quarter in 2021. ESG bond issuance volumes fell 29% from the start of the year to June, as compared with the same period in 2021. In the banking sector, ESG bond issuance as a share of total bond issuance decreased compared to 2021, though they often enjoy higher subscription levels than non-ESG bonds, allowing banks to pay lower risk premia on new issuances. Despite this, some fundamental factors driving the rise of ESG investing remain in place. Most importantly, investor preferences continue to shift towards sustainable investments, with portfolio allocations increasingly tilted towards ESG investments. Similarly, issuance of ESG bonds by EU corporates remained on par with early 2021, supported by a rapid expansion of the sustainability-linked bond market. This contrasts with a 32% fall in broader EU corporate bond issuance.
2 DEVELOPMENTS IN THE FINANCIAL SECTOR In 1H22, European investment funds faced heightened volatility in securities markets given the increasingly uncertain economic outlook and the expected increase in interest rates. The performance of most EU fund categories dropped significantly, from a 12-month average monthly performance of 1.6% for equity funds in December 2021 to 0.9% in June 2022. In the meantime, the performance of bond funds turned negative (-0.7%). In contrast, commodity funds outperformed the sector in 1Q22, reflecting the surge in commodity prices following the Russia’s invasion of Ukraine and the sanctions on Russia, before slightly receding, to 2.1%, in end-June. Equity fund flows were also negative (-0.9%). Declining performance led to redemption requests with net outflows in 1H22 totalling 1.6% of the net asset value (NAV) of the fund sector. Bond funds were particularly affected (-4.8% NAV) due to negative performance (-0.7%) and exposures to growing credit and interest risks. Commodity funds experienced outflows (-5.8%), albeit from a low base and only in 2Q22, when their performance declined. MMFs funds also experienced substantial outflows ( -9.2% NAV exceeding the -4.6% NAV observed during COVID-19 stress). MMFs denominated in all currencies experienced outflows, though USD MMFs experienced higher returns (1.1% average monthly performance) than EUR denominated MMFs (-0.1%). While MMFs may generally benefit from a flight-to-quality during uncertain market conditions, investors currently appear to be turning away from fixed-income funds in general. Outflows were partly driven by the expected increase in interest rates. In contrast, real estate funds (1.7% of NAV) and mixed funds (1% of NAV) recorded inflows in 1H22.
The European insurance sector entered 2022 in good shape notwithstanding the adverse developments since the COVID-19 outbreak. During 2021, gross written premiums (GWP) for the life business grew (y-o-y) quite substantially (+14%), while growth was lower for the non-life business (8%). The positive change has partially been driven by the previous reduction in GWP throughout 2020 during the pandemic; although GWP remain still below pre-Covid levels, in particular for life business. The good performance of financial markets and the high returns obtained during 2021 pushed insurer’s profitability up to the levels reached back in 2019, with a median return on assets standing at 0.57% in 4Q21 (0.38% in 4Q20).
At the beginning of 2022 insurers’ capital buffers on aggregate were solid with a median SCR ratio of 216%. An improvement was observed for life insurers while a slight decline was observed for non-life insurers. As the risk-free interest rate increased throughout 2021, due to the long maturities of life insurers’ liabilities the value of technical provision decreased relatively more than the value of assets, with a positive effect on net capital. This contributed to an increase the median SCR ratio for life insurers, from 216% to 225%. However, the SCR ratio did not reach the high levels observed at the end of 2019 (236%). On the other hand, the median SCR ratio for non-life insurers slightly decreased from 218% towards 211%. This might be driven by the increase in claims negatively affecting the liabilities of some representative undertakings, combined with the fact that asset values declined more than liabilities when interest rates increased given that non-life insurers tend to be characterized by a positive duration gap. Likewise, the financial position of EEA IORPs displayed a recovery in 2021. The total amount of assets grew to EUR 2,713 bn in 4Q21 (From EUR 2,491 bn. in 4Q20), while liabilities remained more or less unchanged. Similarly, the Excess of Assets over Liabilities exhibited a positive trend.
The European banking sector entered 2022 with relatively strong capital- and liquidity positions. The capital ratio (CET1 fully loaded) is, at 15.0% in 1Q22, at the same level as it was before the pandemic broke out (in 4Q19). Yet the capital ratio was 50bps lower than in the previous quarter, mainly driven by rising risk weighted assets (RWA). After a steadily rise in previous quarters, the liquidity coverage ratio (LCR) also slightly deteriorated in 1Q22. A reported LCR ratio of 168.1% in 1Q22 (174.8% in 4Q21) was nevertheless still substantial.
EU banks are facing additional challenges to asset quality and profitability while pandemic-related vulnerabilities continue to loom. Deteriorating economic prospects, high uncertainties and high inflation with a phasing-out of accommodative monetary policy are affecting the outlook for EU banking sector. Loan portfolios with pre-existing vulnerabilities from disruptions caused by the pandemic may also be further affected in a slower economic recovery. Accordingly, 45% banks responding to the EBA’s spring 2022 risk assessment questionnaire (RAQ) indicated their plans to maintain their overlays related to the pandemic to cover potential losses that may materialize in the next quarters, while 35% of banks indicated plan to release them fully or partially. Supervisors should continue to closely monitor the adequacy of banks’ provisions.
The NPL ratio further improved in the first quarter of the year (to 1.9%), mainly driven by decreasing volumes of non-performing loans (NPL). However, rising cost of risks and an increasing share of loans allocated under Stage 2 under IFRS points to slightly deteriorating asset quality. The quality of loans under previous support measures related to the pandemic continues to show signs of deterioration and also requires vigilance. The total volume of loans with expired EBA-compliant moratoria reached EUR 649bn in 1Q22, a 7.8% decline compared to the previous quarter. The volume of subject to public guarantee schemes (PGS) stood at EUR 366bn in 1Q22, almost unchanged compared to the previous quarter. The NPL ratio of loans under expired moratoria and of loans subject to PGS is, at 6.1% and 3.5% in 1Q22, respectively, substantially higher than the overall NPL ratio, and has increased further since 4Q21. PGS loans are mostly concentrated to a few countries only. The allocation of Stage 2 under IRFS 9 for loans under previous support measures is, at 24.5% for loans under expired moratoria and 22.7% for loans subject to PGS, substantially higher than stage 2 allocations for all loans and advances (9.1% in 1Q22). In spite of their slight deterioration in 1Q22, EU banks’ capital and liquidity positions nevertheless provide, for the time being, sufficient cushioning in banks’ balance sheets should the economic situation deteriorate further, or heightened market volatility persist.
Positive operating trends were observed for European banks in 1Q 2022, with a profitability of 6.6% return on equity (ROE) achieved under difficult market conditions, though this is lower than the 7.7% ROE reported in the previous year (1Q21) and lower than the 7.3% ROE of the previous quarter. The contraction can be explained mainly by rising contributions to deposit guarantees schemes and resolutions funds in some countries and various one-off effects, whereas net operating income improved. In 1Q21, lending growth offset a slight decline in net interest margins (NIM) and led to improved net interest income (NII). Net trading income also increased, supported by market volatility. Overall increasing net operating income also outweighed the impact of rising inflation on operating expenses in the first quarter of 2021.
3 IMPACT OF RU-UA WAR ON THE EUROPEAN FINANCIAL SECTORS Securities markets experienced volatility with some key commodity markets strongly impacted by the Russian invasion and sanctions. Bond yields rose in response to the increasing inflation and anticipated higher rates, while equity markets were volatile and experienced periodic sell-offs. Such volatility can create short-term risks on financial markets. Margin calls on derivatives related to commodities can create liquidity strains for counterparties, as was witnessed by the calls for emergency liquidity assistance for energy traders and the London Metal Exchange suspending nickel trading for five trading days in early March. While commodity derivatives markets in the EU are of limited size relative to EU derivative markets as a whole, these markets create sensitive interlinkages between commodity producing or processing companies, commodity traders, banks acting as intermediaries in the clearing process, central counterparties, and other financial institutions.
The Russian invasion negatively affected credit rating agencies’ (CRA) credit outlook for EEA30 debt. The number of corporate downgrades grew relative to upgrades over 1H22, with a jump in downgrades around the time of the invasion. Russian and Ukrainian ratings were mainly affected, with a series of downgrades in late February and March among both corporates and sovereigns. By mid-April CRAs had withdrawn their Russian ratings in response to the EU measures banning the rating of Russian debt and the provision of rating services to Russian clients. In addition, sanctions have made it difficult for Russia to make sovereign coupon payments. In this context, Russia defaulted on some debt payments due in late June.
Direct impacts of the invasion on investment funds were limited. Exposures to both Russian and Ukrainian counterparties were EUR 50bn (below 0.5% of EU fund assets as of end-January 2022). Some fund exposures were higher, with 300 funds holding over 5% of their portfolios in Russian and Ukrainian assets (total EUR 225bn). The massive fall in prices and liquidity of Russian financial instruments led to serious valuation issues for exposed EU funds. In 1H22, 100 Russia-exposed EU funds (EUR 15bn in combined assets) temporarily suspended redemptions. However, funds with material Russian exposures before the invasion account for a very small share of the EU fund population (less than 0.1% of the EU industry). A number of ETFs tracking Russian benchmarks also suspended share creation. While direct impacts of the Russian invasion on funds, such as losses, were limited, existing risks were amplified by the invasion and the deteriorating macroeconomic outlook. Credit, valuation and liquidity risks remained elevated in the bond fund sector, linked to multiple factors. Bond fund exposures to credit risk stayed elevated, especially for HY funds. The credit quality of the portfolio of HY funds remained close to an average rating between BB- and B+ (5-year low). The likelihood of credit risk materialization also increased with the deteriorating macroeconomic environment and rising interest rates, as visible in the higher credit spreads. In comparison, liquidity risk remained steady for corporate bond funds. Based on asset quality and cash holdings, portfolio liquidity remained stable in 1H22.
EU insurers’ exposure to assets issued in Russia, Ukraine and Belarus is also limited. These assets amount to EUR 8.3 bn, less than 0.1% of the total investment of the sector. The exposure to Russia is EUR 6.3 bn, which is 0.066% of total investments and the asset exposure to Ukraine is EUR 1.8 bn, 0.019% of total Investments. The exposure to Belarus is negligible. Most of the investments in Russia are through investment funds (84% of total investments). Within funds, the largest asset classes are represented by sovereign bonds and equities associated to unit linked portfolios. A large share of investments to Russia, Ukraine and Belarus (42%) is in index- and unit-linked portfolios, whose risk is born directly by policyholders.
EU insurers have limited activities in the Russian, Ukrainian and Belarusian markets. A small number of EEA groups are active in those countries through subsidiaries. Their size in terms of total assets is minimal if compared to the total assets of the groups. In terms of liability portfolios exposures are also limited. Total technical provision in Russia, Ukraine and Belarus is EUR 0.36 bn., mostly concentrated in the life business.
With regards to IORPs, asset exposures are also limited, at EUR 7.5 bn. (0.23% of total investments). In absolute numbers this is similar to the exposure of the insurance sector. It is worth noting that the size of the IORPs total investment is smaller with respect to the insurance sector.
In the banking sector, direct exposure to Russia and Ukraine appears limited on an EU level and country level. In 1Q22, exposures of the EU/EEA banking sector were at EUR 75.3bn (ca. 0.3% of total assets) towards Russian counterparties, at EUR 10.0bn towards Ukrainian counterparties, and at EUR 2.0bn towards Belorussian counterparties, slightly decreasing towards the three countries compared to the previous quarter. However, exposures are concentrated in a few countries, and a few banks report an up to 10% share of their exposures towards Russia and Ukraine. Some banks also booked substantive provisions related to their exposure to Russia and related to the deteriorating economic environment in the first quarter of this year.
While immediate, first round implications from the Russian invasion appear contained for financial institutions across sectors, the possibility of second round effects is a source of concern. The invasion, heightened uncertainties and inflation are not only weighing on economic prospects, but also affect consumer- and business confidence. Exposures of economic sectors more sensitive to rising energy- and commodity prices require attention across sectors.
In the insurance sector, second-round effects could emerge via exposures to sectors which, in turn, are highly exposed to the current crisis. Losses in these sectors could have spill-over effects through losses on investments. Two areas could be the most relevant: the exposures of insurers to the banking sector and the exposure to sectors of the economy that are more sensitive to energy and gas prices. Insurers have significant holdings of bank assets, and in this context also hold a significant amount of assets issued by banks that are assumed to be more vulnerable to the evolution of the current crisis. The exposure of EEA insurers to those banks is estimated to only a total amount of EUR 55 bn (0.57% to total investments). Furthermore, insurers have significant asset exposure to sectors sensitive to energy and gas prices.6 The total exposures sum to EUR 174 bn, which includes almost 3% of the equity portfolio of insurers and 7.5% of corporate bond holdings.
In the banking sector, second-round effects could emerge via deteriorating asset quality and further increasing provisioning needs in a deteriorating economic environment. Fee and commission income might also be affected. Banks’ securities portfolios might moreover be negatively affected as fair value declines when interest rates rise. The worsening economic outlook has already resulted in slightly deteriorating early warning indicators for asset quality. The cost of risk increased to 0.51% in 1Q22, a 4bps increase compared to the previous quarter, as borrowers’ debt servicing capacity might be affected by lower economic growth. The increase was mainly driven by the numerator, i.e. by increasing allowances for credit losses. Also, the share of loans allocated under Stage 2 under IFRS increased in 1Q22 and 4Q21, and it another early-warning indicator pointing to slightly deteriorating asset quality. Responses to the EBA RAQ moreover indicate that a majority of banks expect asset quality to deteriorate.
In line with the deteriorating economic outlook and heightened market- and interest rate volatility, bank funding conditions have worsened since the Ukrainian war started and since interest rates increased. Wholesale bank debt spreads have widened for debt and capital instruments across the capital ladder, and particularly for subordinated instruments. Interest rates for bank debt instruments have risen substantially across durations, albeit from extremely low levels. Since the beginning of the war, bank debt issuance activity has been mainly focused on issuing covered bonds, amid challenging market conditions and as banks have begun to roll over expiring long-term central bank funding facilities. Bank funding conditions are likely to stay more challenging while volatility persists and as interest rates continue to rise. Yet current ample liquidity buffers should allow banks to withstand further periods of market turmoil for the time being. In the medium-term, the substitution of expiring extraordinary central bank funding with other sources of funding could prove challenging for some banks.
In spite of positive operating trends in 1Q2022, the outlook for EU bank profitability is subdued. The deteriorating economic environment might affect lending growth and might result in lower loan- and payment-related fee income. Inflationary pressure, higher provisioning needs for expected deteriorating asset quality, costs related to digital transformation and higher compliance costs, e.g. related to the enforcement of sanctions will all likely affect costs, and may offset operating cost savings achieved. While rising rates may have a positive impact on interest income, rising funding costs might also offset additional income from asset repricing.
4 INFLATION AND INTEREST RATE RISKS The Russian aggression and the sanctions applied contributed to inflation pressures via the resulting supply shocks in energy, food and metals commodities, which added to the supply chain bottlenecks related to the pandemic. Higher energy prices particularly contribute to inflation, widely increasing input and distribution costs. In terms of investment impacts, inflation directly lowers real returns. Inflation changes relative attractiveness of assets both across asset classes and within asset classes. Higher inflation reduces the values of existing assets with fixed returns, such as (most) bonds. By reducing short-term growth, higher rates lower profitability and typically reduce equity values. However, if a rate rise is expected to be effective in increasing long-term growth, it can also increase equity values. Inflation has indirect impacts through its effects on actual and anticipated monetary policy, especially interest rate rises, to reduce demand and bring inflation down. Higher interest rates increase returns on savings and raise borrowing and refinancing costs, reducing debt sustainability. Variable-rate loans face higher debt servicing costs, raising credit risk, including for securitizations backed by variable-rate loans.
In the investment fund sector, interest rate risk increased in a context of rising inflation expectations. Fund portfolios with a longer duration will see their value fall, as inflation drives rates up. However, adjustments are already being made in some funds. Bond fund portfolio durations fell in 1H22, remaining higher for Government (7.6 years, down from 8.6 years) and IG bond funds (6.5 years, down from 7.3 years) than for HY funds (4.3 years, down from 4.8 years). Based on current duration, a 100bps increase of in yield could have a potential impact of -7% on bond fund NAV, about EUR 270bn, which could lead to significant fund outflows. In the MMF sector, funds also significantly reduced the weighted average maturity of their portfolios from 44 days to 30 days (a 3-year low) to lower interest rate risk and improve resilience to a rate rise.
As a period of low inflation and low interest rate is coming to an abrupt end, medium-term risks for asset managers are considerable. Impacts on performance and fund flows are likely to vary across asset classes. For example, the recent US increase in rates led to significant reallocation across fund types from bond funds (-4.7% NAV in 1H22) towards funds offering some form of protection against higher rates. To-date, this contrasts with the EU. In 1H22, US cumulative flows into funds offering protection against higher inflation or rates, such as inflation-protected funds (EUR 1.5bn), loan funds (EUR 13.9bn) and commodity funds (EUR 16.3bn), outpaced their EU equivalents.
Inflation can have a significant impact on borrowers and retail investors. It can heighten vulnerabilities of debtors exposed to flexible lending rates, or where low interest rates on their loans will expire in the near term, including in mortgage lending. Inflation can also have large effects on real returns on savings and investments of retail investors both in the immediate term as well as in the long term. Retail investors may be unaware of inflation or not pay enough attention to its effects on their assets and purchasing power. Consumers can suffer from behavioral biases, such as money illusion or exponential growth bias, that can lead to insufficient saving and investing. Moreover, when inflation is rising, the effects of insufficient saving on long-term wealth become more pronounced.
Insurer positions are affected by inflation on both on the asset and liabilities side typically negative net effects for the non-life segment. On the asset side, insurer investments whose market prices are sensitive to inflation will see a direct or indirect impact through movements of the interest rates. On the liability side, inflation affects insurers through higher costs of claims. This is mostly relevant for non-life lines of business, because non-life guarantees are in nominal terms; crucially, insurers’ build-up provisions for future claims payments and in doing so they must make assumptions today about future price developments. Life insurers are less affected by costs of claims, these typically have liabilities in nominal terms, i.e. claims do not increase with the price development; this is because potential future benefits are often stipulated at inception. Higher general costs can have negative profitability implication for both life and non-life. Finally, the sensitivity on inflation and to interest rate depends also crucially on the duration gap of the undertakings: those with positive duration gaps are more likely to be negatively affected by inflation than those with negative long duration gap, such as life insurers.
On the liability side, the price development relevant for claims expenses, i.e. claims inflation, is particularly important for insurers. Claims inflation tends to outpace the general inflation rate, claims cost depends only to a small extent on inflation as measured by the Harmonized Index of Consumer Prices (HICP); the reason is that the goods for which insurers pay are significantly different from those which consumers buy. Moreover, claims of insurers encompass various costs, not just costs of goods and services. For Europe, there are no time series available on estimates of future claims inflation; each insurer makes its own business line specific forecast.
Developments in the term structure and risk premia, which remain uncertain, are also having an impact on the net effect on insurer positions, through their exposure to interest rate sensitive assets and the duration of their liabilities. A potential increase in long-term rates would be accompanied by a repricing of the risk premia, and the negative impact on the asset side would not be limited to the fixed income assets but would be reflected to other asset classes through the reduction of market prices. A similar scenario was tested in the EIOPA 2018 Stress Test exercise (Yield Curve Up scenario). This showed relatively high resilience of the insurance sector as a result of the solid capital buffers of the sector in aggregate.
Insurance products can be sensitive to inflation, policyholders and pension beneficiaries face the risk of inflation eroding the real value of their benefits. This ultimately depends on the particular features and details of each contract sold. In the traditional business case of nominal interest rate guarantees, higher inflation than expected (relative to that already factored in the guarantees) has a negative impact in real terms for the policyholder, while contracts with profit sharing may help policyholder returns. In case of unit-linked policies, the policyholder can select the underlying assets from a range of investments e.g. mutual funds. The allocation could involve assets that provide inflation protection or not. Crucially, it requires policyholder financial knowledge/literacy to navigate through the complex dynamics of how investments affect their benefits. In the last years, the share of unit-linked in the life segment continues to increase, now reaching a peak of 39% since the introduction of Solvency II reporting, notwithstanding the considerable differences in the popularity of unit-linked products that remain across countries.
In the banking sector, increasing interest rates are usually expected to have a positive impact on interest income and on net interest margins (NIMs). Accordingly, a vast majority of banks responding to the spring 2022 EBA RAQ expect a positive impact on their profitability from rising interest rates with a repricing of assets. Both banks and analysts are optimistic about the impact of rising rates, and 85% of banks responding to the RAQ expect rising rates to have a positive impact on their profitability. However, analysts also expect an increase in provisions and impairments (at 80%, compared to 15% in the previous RAQ). Since 2014 NIMs have steadily decreased in the very low interest rate environment, and have remained nearly stable since Q1 2021 (1.25% in Q2 2022).
In spite of positive expectations, historic episodes of rising interest rates globally, as well as bank profitability trends in some European countries with an earlier cycle of increasing interest rates offer some indication that NIM may not improve substantially with rising interest rates. Expectations for a substantively positive impact on profitability may be overly optimistic. For example, during periods of stagflation in the USA between 1971 and 1973 and between 1976 and 1980, the sensitivity of NIM to interest rate rises was negligible. Disclosures from banks’ interest rate risks in the banking book (IRRBB) indicate that a parallel shift up of the yield curve positively affects NII for most banks. Yet, while about half of banks disclosing their IRRBB assume that a 200bp parallel rise of the yield curve will add at least a 10% to their NII, a majority of banks assume a negative net impact on their economic value of equity (EVE), a long-term measure of their interest rate risk.
On the liabilities’ side, bank funding costs have increased considerably in line with rising interest rates, which affects profitability. In the next months, analysts expect a broad-based increase in funding costs, including for deposits. Banks, particularly those relying more on wholesale funding, may be affected by a potential substantial increase in funding costs that could even offset positive effects from asset repricing. Banks that need to further build up their loss absorbing capacity could be particularly affected, as a majority of banks consider pricing as main constraint to issuing instruments eligible for MREL. In line with rising inflation, EU banks’ operating costs are also expected to increase further and have already increased substantially in 1Q22.
While general expectations suggest that banks will benefit from a repricing of assets amid rising interest rates, increasing rates might also affect borrower ability to service their debt, and could thus affect asset quality. Coupled with a deteriorating economic outlook, the rising interest rate environment risks in resulting in a reversal of the long-term trend of declining NPL in the banking sector. Rising rates could also contribute to adjustments to the already high real estate valuations in Europe, while the high levels of real estate exposure of EU banks has been identified as a risk. Monetary tightening might also impact lending growth, when, e.g., tightening is accompanied by lower GDP growth, and so could affect interest income.
5 DIGITAL RELATED RISKS The Russian war in Ukraine and the increasingly volatile geopolitical environment have heightened cybersecurity risks. The frequency of cyber incidents impacting all sectors of activity, as measured by publicly available data, increased significantly in the first quarter of 2022 compared to the same quarter of last year. The potential for escalation involving cyberattacks remains, and a successful attack on a major financial institution or on a critical infrastructure could spread across the entire financial system. Potential consequences also grow ever more far-reaching as the digitalization trend of the financial sector continues. These include disruptions to business continuity, as well as impact on reputation and, in extreme scenarios, liquidity and financial stability. Potential cyberattacks might not be limited to the financial sector only, but also to consumers. In a severe scenario, access to basic services could be impaired, including financial services, and personal data could be compromised.
The sharp market sell-off in May and June 2022 once again demonstrated the extremely volatile and speculative nature of many crypto-assets and related products and the high risks involved for investors, as highlighted in the recent joint-ESAs Warning. The collapse of the Terra ecosystem in May exposed fragilities in stable coins markets, which if left unmanaged, could have ripple effects with negative implications for financial stability, calling for a swift implementation of the Markets in Crypto Assets (MiCA) proposed regulation.
The current geopolitical situation underscores the relevance of the legislation on digital operational resilience (DORA). DORA, which builds on the ESAs Joint Advice in the area of information and communication technology (ICT), is expected to enter into force in early 2023. On 10 May 2022 co-legislators reached a provisional political agreement on its final text. DORA aims to establish a comprehensive framework on digital operational resilience for EU financial entities, and consolidate and upgrade ICT risk requirements spread over various financial services legislation (e.g. PSD2, MiFID, NIS). The geopolitical situation has highlighted some of the risks that DORA will address and underscores the importance of the legislation. The ESAs will be working closely together on the many joint deliverables and new tasks under DORA to help implement the legislation. Moreover, the ESAs, in cooperation with NCAs, have launched a high-level exercise (covering a sample of financial entities) to obtain a better understanding of the exposure of the financial sector to ICT third party providers. The exercise will help authorities and entities to prepare for the forthcoming DORA regime for oversight of critical third-party providers of ICT services.
Digitalization and cyber risks are currently assessed as high and show an increasing trend for the financial sector. In the banking sector, cyber risks are assessed to be very high by both banks and supervisors. The insurance, banking and markets sectors likewise remain on high alert. Since the beginning of the war, cyber-related incidents and disruptions beyond Ukraine and Russia have been rather limited to date, but related risks nevertheless remain unabatedly high. Cyber negative sentiment in the insurance sector, measured as the frequency of negative cyber terms pronounced during insurers’ earning calls, indicates an increased concern in the first quarter of 2022. From an insurance cyber underwriting perspective, cyber-related claims are increasing alongside a growth in the frequency and sophistication of cyber-attacks across financial sectors. In response to increasing cyber-attacks, cyber insurers are strengthening the wording to protect them against losses and could eventually also adjust pricing. Insurers seem to have pushed up attempts to tighten policies and to clarify coverage in the case of a retaliation by Russia and its allies in response to sanctions – the so-called war exclusion, which dictates that losses caused by armed conflict are usually not compensated. In this context, clear communication and disclosure to policyholders on the scope of the coverage and level of protection offered by insurance policies is crucial, in order to avoid a mismatch between their expectations and the actual coverage provided.
Supervisors aim at enhancing monitoring of cyber-related risk framework due to the increased relevance of digitalization and cyber risks. ESMA has recently facilitated increased information-sharing among its competent authorities to ensure supervisors receive timely updates on cyber incidents to inform their work. Turning to the insurance sector, EIOPA has produced exploratory indicators that rely on supervisor responses to the EIOPA Insurance Bottom-Up Survey and on publicly available external data. They will be improved once new supervisory data becomes available. To establish an adequate assessment and mitigation tools to address potential systemic cyber and extreme risks, throughout 2022 and 2023 EIOPA will be working on improving its methodological framework for bottom-up insurance stress tests, including cyber risk.
Aligning IT strategies with business strategies has been a mantra for CIOs for quite a few years. Yet, despite the apparent straightforward nature of the endeavor, many CIOs struggle to achieve that alignment. The rapid rise of digital technologies and transformation has significantly raised the bar — now, CIOs must find synergies and multiplier effects, not just business alignment, and that has a big impact on the creation of IT strategies.
IT strategy logically flows from the enterprise business vision, mission, goals, and strategies — especially digital business strategies. Collectively, they should anchor and guide IT strategy development. Yet IT strategy should also inform business strategy by presenting new and unexpected opportunities and capabilities. CIOs and strategy development stakeholders must cycle back and forth between business and IT strategies to maximize synergies.
CIOs need to find new process-driven approaches to formulating strategy in the new world where technology is found in every aspect of the business. An effective strategy development process is inclusive of all stakeholders,
reliably identifies the most critical business needs and opportunities,
objectively assesses the current state of IT and the enterprise,
surfaces and vets all salient IT strategic initiatives and opportunities,
explains how business and IT success will be measured,
and engages and motivates all those who must embrace, support, and execute the strategy.
This study lays out a process for creating IT strategy. It explains how CIOs can envision and develop new IT strategies, identifies key activities and actions for each step, and provides advice on ensuring effectiveness and adoption of an IT strategy.
Stage 1: Lay Groundwork for New IT Strategy Development Under the duress of executive pressure to transform IT, CIOs may be tempted to jump into formulating new IT strategies without laying the proper groundwork. Like IT itself, however, IT strategy development must extend beyond the boundaries of the IT organization as digital business concerns pervade all aspects of the business, its partners, and its customers. That means that a diverse set of organizations and stakeholders will necessarily be involved in creating new IT strategies. Taking the time to prepare and get all necessary stakeholders onboard, will, however, reduce friction and lead to a faster effort with better results. The groundwork stage is intended to set the stage for all subsequent strategy work.
Identify, contact, and recruit all salient stakeholders. F. Edward Freeman’s work on the Stakeholder Theory lists employees, environmentalists, suppliers, governments, community organizations, owners, media, customers, and competitors. Additional stakeholders would include LOB executives, CIO direct reports, and key partner representatives. Team members must be willing and able to devote the necessary time for the duration of their involvement.
Build trusting relationships among all stakeholders, and gain support for the strategy effort.
Educate nontechnical stakeholders on essentials of digital technologies and digital business and operating models.
Conduct workshops to learn about and select key tools and practices, such as agile, design thinking, value streams, and lean start-up, that can help create a structured framework.
Agree on a strategy development process and governance and oversight for the process.
Define the purpose and desired outcomes for the IT strategy development process.
Review existing IT and enterprise vision, mission, strategy, and goals.
Review IT spend across the entire enterprise.
Create/adopt an agile approach to formulating the IT strategy.
One of the biggest mistakes CIOs can make in formulating an IT strategy is to use ad hoc, nonsystematic approaches that attempt to match technology solutions with highly visible problems.
Modern IT strategies are complex, have multitudes of interdependencies and diverse and powerful stakeholders, and have a material impact on the success or failure of the business. Strategy development is one of the most critical responsibilities — one that requires rigor and a structured approach and processes.
Above all, the IT strategy formulation process needs to be agile, as business environments are continually shifting. A strategy that only adjusts on an annual basis runs the risk at any point in time of being mistargeted. The process needs to continually sense changes in the business ecosystem and prompt decisions about possible changes to the strategy.
Stage 2: Determine Key Business Drivers and Forces IT strategies are intended to move businesses forward by
creating new products and services,
attracting and retaining customers,
entering new markets,
and solving business problems.
In that context, key issues and business drivers are those that constrain the business from moving forward or present opportunities to grow and succeed.
Business and IT strategies exist in a messy world of shifting business, social, technological, economic, and geopolitical forces. Those forces and dynamics make up the business context in which the IT strategy must function and succeed and form the basis for identifying key drivers that will shape and help decide what key initiatives need to be prioritized.
Key drivers are quite individualized to a given business. But they can include
technology emergence and evolution;
global competition and challenges;
competition in the form of new business and/or operating models;
shifting customer and market dynamics — personal, social, and cultural;
geopolitical and regulatory shifts and uncertainties;
environmental and climate impacts;
and threats to privacy and security.
Compile and review trends, disruptions, and forecasts in business, technology, environmental, geopolitical, social, regulatory, and other salient arenas.
Identify the most important forces and drivers that will impact the enterprise and IT.
Describe how the selected drivers will help define the desired future state of the enterprise.
Prioritize and map drivers to time frames in which drivers are expected to be active.
Describe responses that will be needed from the enterprise and IT.
Time phase responses based on projected time frames.
While there may be a multitude of key issues, CIOs need to work with business leaders to select only those that truly move the needle for the business. It’s been said that, when everything is a priority, nothing is a priority and that is true when it comes to IT strategy. IT and LOB executives will have to subordinate the agendas of their own organizations to focus on the drivers that offer the most potential for business benefit to the enterprise. Selecting the most important drivers is critical, as the selected set will define the focus of successive stages of strategy development and the strategy itself.
Stage 3: Assess Current State of the Enterprise, IT, and Business Ecosystem This stage requires an objective assessment of the IT organization, the enterprise, and its ecosystem for attributes and characteristics that could positively or negatively impact the formulation and execution of IT strategies. IT and LOB executives need to have frank discussions about « the good, the bad, and the ugly » aspects of IT and the enterprise. Business leaders can ill afford to launch into implementing strategies that their organizations, markets, and customers are not ready for. The following table provides key facets of IT, enterprises, and ecosystems that should be assessed.
Note that some of the attributes are more germane and important to the IT strategy and others are less so — the goal is not an exhaustive assessment but one that captures the current states that are most important to strategy development. The current state assessment is critical as it is the basis for identifying work that’s needed to reach the desired future state. A flawed or incomplete assessment will result in missed opportunities, failed initiatives, and potential derailment of IT transformation.
Assemble necessary data, market and customer intelligence, and ecosystem intelligence to underpin analysis and decision making.
Identify the most salient and important attributes for assessment.
Create an assessment framework and scoring system.
Describe the current states of the business and IT, using SWOT or other frameworks to assess relative competitiveness and readiness to execute business and IT strategies.
Assess the viability and currency of the existing business strategy.
The current state assessment requires at least a basic framework that identifies the most salient attributes to keep stakeholders from getting too far down in the weeds. The intent is not to put every aspect of IT and the business under a microscope but instead to select attributes of both organizations that need to be addressed by the IT strategy. In support of that aim, the assessment should include a simple scoring system to measure importance (high, medium, low) of each selected attribute and the relative current state (strength, weakness, neutral). And the current state assessment should reflect the viewpoints of employees, managers, customers, partners, and the business’ ecosystem.
Step 4: Define the Future State and Key Initiatives This stage focuses on defining what IT and the enterprise need to look like in the future over one-, two and three-year time frames and the strategic initiatives that will help IT assist the business in achieving that state. In describing the future state and initiatives, it’s critical to find the balance between pragmatic business problem-solving and innovative, aspirational efforts that will engage and motivate stakeholders.
As we noted previously, an agile approach that emphasizes learning and refinement in an iterative staged approach will create more adaptive strategies. Design thinking is another discipline that helps the strategy team frame (or reframe) problems and their solutions from the customers’ perspective to make sure that a prospective initiative and its outcome are important for the target audience. Finally, value streams can be used to help in understanding how a given strategy or initiative creates value and what components are necessary to construct the streams.
Collectively, the tools and practices should be employed in a series of workshops that distill the drivers, issues, and needs identified in the earlier stages of work into prioritized strategic initiatives comprising the IT strategy. Each workshop should focus on one initiative and involve only the stakeholders that are germane to that initiative.
In defining strategic initiatives, the strategy teams should start with a desired business outcome and initiative and then work through the value streams that produce that outcome. Supporting the value streams are IT capabilities:
necessary to deliver a given outcome. For example, a desired outcome or initiative focused on generating new revenue from appliance service data would require new IT capabilities (sub-initiatives) in data/analytics, product development, digital platforms, and new business model development.
Distill drivers and issues into focused business problems, challenges, and opportunities.
Create and run workshops to brainstorm initiatives and solutions that can address identified business drivers, problems, and needs. Start with divergent thinking to create a wide assortment of potential solutions, moving to convergent thinking to winnow down the solution set.
Evaluate solutions based on constraints including budgets, financial viability, legacy culture and processes, talent availability, and other factors that may obviate some solutions.
« Test » the top solution initiatives with those who will implement or be affected by the initiatives.
Refine based on feedback or reexamine the original drivers and issues to ensure that they are relevant and important.
As powerful digital technologies have become core to business success, IT strategy development has become a « chicken and egg question »: technology or business — which comes first? The answer is « both. » Business needs, strategies, and models obviously drive technology strategies and adoption and will always be the dominant force in setting IT strategy at large enterprises. Yet, without cloud, data/analytics, and machine learning technologies, new business and operating models such as those employed by Uber, Lyft, Google, and others simply could not exist. Business strategies need to be the starting point and anchor for IT strategies, but at times, they will be shaped, if not driven, by new and emerging technologies.
Stage 5: Determine Metrics and KPI Success Measures In the spirit of the old saying that « you can’t manage what you don’t measure, » this stage focuses on identifying key metrics and KPIs to measure the success (or lack thereof) of the IT strategy and specific strategic initiatives. Embedding top-level KPIs and metrics in the strategy is a means to ensure they become integral to the execution of the strategy — not an afterthought. It also helps ensure that the same stakeholders that define the strategy and initiatives identify the most meaningful metrics. And the metrics themselves are important to help fine-tune initiatives and target those that aren’t succeeding.
Discuss how metrics and KPIs will be used and who will manage them.
Discuss what strategy success looks like and whether there are thresholds of attainment.
Start with desired business outcomes for each initiative, and identify key dimensions that measure performance.
Identify metrics and KPIs that measure the outcomes in terms that will be useful to the CIO and LOB executives to fix problems or sunset initiatives that aren’t effective.
It’s important to favor outcome or impact measures (e.g., sales growth, process cost reduction) over activity measures (e.g., website visits, projects completed) as the former measure the health and the viability of IT and the business while the latter often turn into vanity metrics. Also important is creating metrics that help assess the success of IT strategy implementation and the business outcomes that result from execution.
Step 6: Package and Communicate the IT Strategy Having formulated their IT strategy, it’s easy for CIOs and key stakeholders to think that the heavy lifting is done — all that’s left is to tell the rest of the company what the strategy is and then let the execution begin. Unfortunately, that is a surefire recipe for creating an IT strategy that is ignored, discounted, or unmoored. There are many possible reasons for nonsupport, including
lack of understanding of the strategy and why it’s important,
competing or conflicting interests and objectives on the part of executives,
and failure to embrace and take ownership of execution.
Another simple reason is that the strategy lacks « stickiness » — it isn’t memorable and hence is quickly forgotten. Strategies can be made stickier by using themes to describe initiatives. Instead of « digitally transforming CX, » think « creating memorable customer moments, » or instead of « improving business intelligence capabilities, » think « uncovering insights that score business success. » Finally, IT strategy must be presented in the context of the enterprise business strategy and should clearly flow from and support that strategy.
Identify all target audiences for the strategy and their top-level interests.
Create a communication strategy and plan.
Craft stories for each theme and initiative that tie IT initiatives to enterprise vision, mission, goals, and strategies.
Clearly identify the roles each target audience will play — enactor, supporter, contributor, or beneficiary.
CIOs and strategy team members should create different versions of documents and presentations for each significant target audience. Viewers should feel like their unique interests and needs were considered and addressed in the formulation of strategies. Also important is to create stories that explain the strategy using « day in the life » or similar narratives instead of dry descriptive material.
Summary Of Findings Overview of big tech’s activities in quantum Big tech’s quantum activity is ramping up quickly
Google, Microsoft, Amazon, IBM, and Intel are all developing their own quantum computing hardware. Big tech companies have been behind several breakthroughs in the space.
In July 2021, Microsoft’s venture arm took part in a $450M round to PsiQuantum—the most well-funded quantum computing startup in the world.
Cloud is a key area of quantum competition for big tech
Google, Microsoft, Amazon, and IBM have all launched quantum computing services on their cloud platforms.
Startups have partnered with big tech companies to offer remote access to a broad range of quantum computers.
Big tech forges ahead with quantum advances. Google, Microsoft, Amazon, IBM, and Intel all have ambitious quantum roadmaps.
Expect rising qubit counts and more frequent demonstrations of commercial applications.
Watch for quantum computing to become a hot geopolitical issue, especially for US-China relations.
Expect big tech companies, including China-based Baidu and Alibaba, to be drawn deeper into political debates.
In the US, government efforts to rein in big tech could be countered by officials nervous about keeping up with countries racing ahead with quantum technology.
Other big tech players could join the fray.
Facebook and Apple have not announced quantum tech initiatives, but both will be monitoring the space and have business lines that could benefit from quantum computing.
THEME #1: GOOGLE IS BUILDING CUTTING-EDGE QUANTUM TECHNOLOGY
Alphabet has a software-focused quantum team called Sandbox that is dedicated to applying quantum technology to near-term enterprise use cases. Sandbox operates mostly in stealth mode; however, recent job postings and past comments from its leadership indicate that its work includes:
Quantum sensors —There are hints that Sandbox is working on a hypersensitive magnetism-based diagnostic imaging platform, possibly an MEG system for reading brain activity, that combines quantum-based sensitivity gains (tens of thousands of times more sensitive than typical approaches) with quantum machine learning to disentangle a signal from background noise to boost sensitivity. This could allow for more precise scans or for cheaper, more flexible deployments of magnetic-based imaging devices for use beyond hospital settings, as well as improved access in lower-income countries.
Post-quantum cryptography (PQC)—Quantum computers threaten much of the encryption used on the internet. Post-quantum cryptography will defend against this. Expect Sandbox’s work to be focused on helping enterprises transition to PQC and making Alphabet’s sprawling online services quantum-safe.
Distributed computing —This tech allows computers to coordinate processing power and work together on problems. Sandbox’s work here may focus on integrating near-term quantum computers into distributed computing networks to boost overall capabilities. Another approach would be to use quantum optimization algorithms to help manage distributed networks more efficiently.
THEME #2: GOOGLE HAS MADE SCIENTIFIC BREAKTHROUGHS
THEME #3: GOOGLE COULD BENEFIT FROM A QUANTUM AI RIPPLE EFFECT
THEME #1: MICROSOFT IS POSITIONING ITSELF AS AN EARLY QUANTUM CLOUD LEADER
THEME #2: MICROSOFT WANTS ITS OWN QUANTUM HARDWARE
THEME #3: MICROSOFT IS A POST-QUANTUM CRYPTOGRAPHY PIONEER
THEME #1: AMAZON SEES QUANTUM COMPUTERS AS KEY TO THE FUTURE OF AWS
THEME #2: AMAZON IS DEVELOPING ITS OWN QUANTUM HARDWARE
THEME #3: AMAZON’S CURRENT BUSINESS LINES COULD BE GIVEN A BIG BOOST BY QUANTUM COMPUTERS
THEME #1: IBM IS GOING AFTER THE FULL QUANTUM COMPUTING STACK
THEME #2: IBM POSITIONS ITSELF AS THE ESSENTIAL QUANTUM COMPUTING PARTNER FOR ENTERPRISES
During the 2020 review of Solvency II EIOPA identified several divergent practices regarding the valuation of best estimate, as presented in the analysis background document to EIOPA’s Opinion on the 2020 review of Solvency II. Divergent practices require additional guidance to ensure a convergent application of the existing regulation on best estimate valuation.
In accordance with Article 16 of Regulation (EU) No 1094/20102 EIOPA issues these revised Guidelines to provide guidance on how insurance and reinsurance undertakings should apply the requirements of Directive 2009/138/EC3 (“Solvency II Directive”) and in Commission Delegated Regulation (EU) No 2015/354 (“Delegated Regulation”), on best estimate valuation.
This revision introduces new Guidelines and amends current Guidelines on topics that are relevant for the valuation of best estimate, including
the use of future management actions and expert judgment,
the modelling of expenses and the valuation of options and guarantees by economic scenarios generators
and modelling of policyholder behaviour.
EIOPA also identified the need for clarification in the calculation of expected profits in future premiums (EPIFP).
The revised Guidelines apply to both individual undertakings and mutatis mutandis at the level of the group. These revised Guidelines should be read in conjunction with and without prejudice to the Solvency II Directive, the Delegated Regulation and EIOPA’s Guidelines on the valuation of technical provisions. Unless otherwise stated in this document, the current guidelines of EIOPA’s Guidelines on the valuation of technical provisions remain unchanged and continue to be applicable.
If not defined in these revised Guidelines, the terms have the meaning defined in the Solvency II Directive. These revised Guidelines shall apply from 01-01-2023.
NEW: GUIDELINE 0 – PROPORTIONALITY 3.1. Insurance and reinsurance undertakings should apply the Guidelines on valuation of technical provisions in a manner that is proportionate to the nature, scale and complexity of the risks inherent in their business. This should not result in a material deviation of the value of the technical provisions from the current amount that insurance and reinsurance undertakings would have to pay if they were to transfer their insurance and reinsurance obligations immediately to another insurance or reinsurance undertaking.
NEW: GUIDELINE 24A – MATERIALITY IN ASSUMPTIONS SETTING 3.6. Insurance and reinsurance undertakings should set assumptions and use expert judgment, in particular taking into account the materiality of the impact of the use of assumptions with respect to the following Guidelines on assumption setting and expert judgement. 3.7. Insurance and reinsurance undertakings should assess materiality taking into account both quantitative and qualitative indicators and taking into consideration binary events, extreme events, and events that are not present in historical data. Insurance and reinsurance undertakings should overall evaluate the indicators considered.
NEW: GUIDELINE 24B – GOVERNANCE OF ASSUMPTIONS SETTING 3.11. Insurance and reinsurance undertakings should ensure that all assumption setting and the use of expert judgement in particular, follows a validated and documented process. 3.12. Insurance and reinsurance undertakings should ensure that the assumptions are derived and used consistently over time and across the insurance or reinsurance undertaking and that they are fit for their intended use. 3.13. Insurance and reinsurance undertakings should approve the assumptions at levels of sufficient seniority according to their materiality, for most material assumptions up to and including the administrative, management or supervisory body.
NEW: GUIDELINE 24C – COMMUNICATION AND UNCERTAINTY IN ASSUMPTIONS SETTING 3.14. Insurance and reinsurance undertakings should ensure that the processes around assumptions, and in particular around the use of expert judgement in choosing those assumptions, specifically attempt to mitigate the risk of misunderstanding or miscommunication between all different roles related to such assumptions. 3.15. Insurance and reinsurance undertakings should establish a formal and documented feedback process between the providers and the users of material expert judgement and of the resulting assumptions. 3.16. Insurance and reinsurance undertakings should make transparent the uncertainty of the assumptions as well as the associated variation in final results.
NEW: GUIDELINE 24D – DOCUMENTATION OF ASSUMPTIONS SETTING 3.17. Insurance and reinsurance undertakings should document the assumption setting process and, in particular, the use of expert judgement, in such a manner that the process is transparent. 3.18. Insurance and reinsurance undertakings should include in the documentation
the resulting assumptions and their materiality,
the experts involved,
the intended use
and the period of validity.
3.19. Insurance and reinsurance undertakings should include the rationale for the opinion, including the information basis used, with the level of detail necessary to make transparent both the assumptions and the process and decision-making criteria used for the selection of the assumptions and disregarding other alternatives. 3.20. Insurance and reinsurance undertakings should make sure that users of material assumptions receive clear and comprehensive written information about those assumptions.
NEW: GUIDELINE 24E – VALIDATION OF ASSUMPTIONS SETTING 3.21. Insurance and reinsurance undertakings should ensure that the process for choosing assumptions and using expert judgement is validated. 3.22. Insurance and reinsurance undertakings should ensure that the process and the tools for validating the assumptions and in particular the use of expert judgement are documented. 3.23. Insurance and reinsurance undertakings should track the changes of material assumptions in response to new information, and analyse and explain those changes as well as deviations of realisations from material assumptions. 3.24. Insurance and reinsurance undertakings, where feasible and appropriate, should use validation tools such as stress testing or sensitivity testing. 3.25. Insurance and reinsurance undertakings should review the assumptions chosen, relying on independent internal or external expertise. 3.26. Insurance and reinsurance undertakings should detect the occurrence of circumstances under which the assumptions would be considered false.
AMENDED: GUIDELINE 25 – MODELLING BIOMETRIC RISK FACTORS 3.27. Insurance and reinsurance undertakings should consider whether a deterministic or a stochastic approach is proportionate to model the uncertainty of biometric risk factors. 3.28. Insurance and reinsurance undertakings should take into account the duration of the liabilities when assessing whether a method that neglects expected future changes in biometrical risk factors is proportionate, in particular in assessing the error introduced in the result by the method. 3.29. Insurance and reinsurance undertakings should ensure, when assessing whether a method that assumes that biometric risk factors are independent from any other variable is proportionate, and that the specificities of the risk factors are taken into account. For this purpose, the assessment of the level of correlation should be based on historical data and expert judgment.
NEW: GUIDELINE 28A – INVESTMENT MANAGEMENT EXPENSES 3.30. Insurance and reinsurance undertakings should include in the best estimate administrative and trading expenses associated with the investments needed to service insurance and reinsurance contracts. 3.31. In particular, for products whose terms and conditions of the contract or the regulation requires to identify the investments associated with a product (e.g. most unit linked and index linked products, products managed in ring-fenced funds and products to which matching adjustment is applied), insurance and reinsurance undertakings should consider the investments. 3.32. For other products, insurance and reinsurance undertakings should base the assessment on the characteristics of the contracts. 3.33. As a simplification, insurance and reinsurance undertakings may also consider all investment management expenses. 3.34. Reimbursements of investment management expenses that the fund manager pays to the undertaking should be taken into account as other incoming cash flows. Where these reimbursements are shared with the policyholders or other third parties, the corresponding cash out flows should also be considered.
AMENDED: GUIDELINE 30 – APORTIONMENT OF EXPENSES 3.41. Insurance and reinsurance undertakings should allocate and project expenses in a realistic and objective manner and should base the allocation of these expenses
on their long-term business strategies,
on recent analyses of the operations of the business,
on the identification of appropriate expense drivers
and on relevant expense apportionment ratios.
3.42. Without prejudice to the proportionality assessment and the first paragraph of this guideline, insurance and reinsurance undertakings should consider using, in order to allocate overhead expenses over time, the simplification outlined in Technical Annex I, when the following conditions are met:
a) the undertaking pursues annually renewable business; b) the renewals must be reputed to be new business according the boundaries of the insurance contract; c) the claims occur uniformly during the coverage period.
AMENDED: GUIDELINE 33 – CHANGES IN EXPENSES 3.47. Insurance and reinsurance undertakings should ensure that assumptions with respect to the evolution of expenses over time, including future expenses arising from commitments made on or prior to the valuation date, are appropriate and consider the nature of the expenses involved. Insurance and reinsurance undertakings should make an allowance for inflation that is consistent with the economic assumptions made and with dependency of expenses on other cash flows of the contract.
NEW: GUIDELINE 37A – DYNAMIC POLICYHOLDER BEHAVIOUR 3.53. Insurance and reinsurance undertakings should base their assumptions on the exercise rate of relevant options on:
statistical and empirical evidence, where it is representative of future conduct, and
expert judgment on sound rationale and with clear documentation.
3.54. The lack of data for extreme scenarios should not be considered alone to be a reason to avoid dynamic policyholder behaviour modelling and/or the interaction with future management actions.
NEW: GUIDELINE 37B – BIDIRECTIONAL ASSUMPTIONS 3.59. When setting the assumptions on dynamic policyholder behaviour, insurance and reinsurance undertakings should consider that the dependency on the trigger event and the exercise rate of the option is usually bidirectional, i.e. both an increase and a decrease should be considered depending on the direction of the trigger event.
NEW: GUIDELINE 37C – OPTION TO PAY ADDITIONAL OR DIFFERENT PREMIUMS 3.60. Insurance and reinsurance undertakings should model all relevant contractual options when projecting the cash flows, including the option to pay additional premiums or to vary the amount of premiums to be paid that fall within contract boundaries.
NEW: GUIDELINE 40A – COMPREHENSIVE MANAGEMENT PLAN 3.61. Insurance and reinsurance undertakings should ensure that the comprehensive future management actions plan that is approved by the administrative, management or supervisory body is either:
a single document listing all assumptions relating to future management actions used in the best estimate calculation; or
a set of documents, accompanied by an inventory, that clearly provide a complete view of all assumptions relating to future management actions used in best estimate calculation.
NEW: GUIDELINE 40B – CONSIDERATION OF NEW BUSINESS IN SETTING FUTURE MANAGEMENT ACTIONS 3.64. Insurance and reinsurance undertakings should consider the effect of new business in setting future management actions and duly consider the consequences on other related assumptions. In particular, the fact that the set of cash-flows to be projected through the application of Article 18 of the Delegated Regulation on contract boundaries is limited should not lead insurance and reinsurance undertakings to consider that assumptions only rely on this projected set of cash-flows without any influence of new business. This is particularly the case for assumptions on the allocation of risky assets, management of the duration gap or application of profit sharing mechanisms.
NEW: GUIDELINE 53A – USE OF STOCHASTIC VALUATION 3.70. Insurance and reinsurance undertakings should use stochastic modelling for the valuation of technical provisions of contracts whose cash flows depend on future events and developments, in particular those with material options and guarantees. 3.71. When assessing whether stochastic modelling is needed to adequately capture the value of options and guarantees, insurance and reinsurance undertakings should, in particular but not only, consider the following cases:
any kind of profit-sharing mechanism where the future benefits depend on the return of the assets;
financial guarantees (e.g. technical rates, even without profit sharing mechanism), in particular, but not only, where combined with options (e.g. surrender options) whose dynamic modelling would increase the present value of cash flows in some scenarios.
NEW: GUIDELINE 57A – MARKET RISK FACTORS NEEDED TO DELIVER APPROPRIATE RESULTS 3.75. When assessing whether all the relevant risk factors are modelled with respect to the provisions of Articles 22(3) and 34(5) of the Delegated Regulation, insurance and reinsurance undertakings should be able to demonstrate that their modelling adequately reflects the volatility of their assets and that the material sources of volatility are appropriately reflected (e.g. spreads and default risk). 3.76. In particular, insurance and reinsurance undertakings should use models that allow for the modelling of negative interest rates.
AMENDED: GUIDELINE 77 – ASSUMPTIONS USED TO CALCULATE EPIFP 3.78. For the purpose of calculating the technical provisions without risk margin under the assumption that the premiums relating to existing insurance and reinsurance contracts that are expected to be received in the future are not received, insurance and reinsurance undertakings should apply the same actuarial method used to calculate the technical provisions without risk margin in accordance with Article 77 of the Solvency II Directive, with the following changed assumptions:
a) policies should be treated as though they continue to be in force rather than being considered as surrendered; b) regardless of the legal or contractual terms applicable to the contract, the calculation should not include penalties, reductions or any other type of adjustment to the theoretical actuarial valuation of technical provisions without a risk margin calculated as though the policy continued to be in force.
3.79. All the other assumptions (e.g. mortality, lapses or expenses) should remain unchanged. This means that the insurance and reinsurance undertakings should apply
the same projection horizon,
future management actions
and policyholder option exercise rates used in best estimate calculation
without adjusting them to consider that future premiums will not be received. Even if all assumptions on expenses should remain constant, the level of some expenses (e.g. acquisition expenses or investment management expenses) could be indirectly affected.
NEW: GUIDELINE 77A – ALTERNATIVE APPROACH TO CALCULATE EPIFP 3.88. Insurance and reinsurance undertakings may identify EPIFP as the part of present value of future profits related to future premiums in case the outcome does not materially deviate from the value that would have resulted from the valuation described in Guideline 77. This approach may be implemented using a formula design.
EIOPA’S DIGITAL TRANSFORMATION STRATEGIC PRIORITIES AND OBJECTIVES
EIOPA’s supervisory and regulatory activities are always underpinned by two overarching objectives: promoting consumer protection and financial stability. The digital transformation strategy aims at identifying areas where, in view of these overarching objectives, EIOPA can best commit its resources in view of the challenges posed by digitalisation, while at the same time seeking to identify and remove undue barriers that limit the benefits.
This strategy sits alongside EIOPA’s other forward thinking prioritisation tools –
the union-wide strategic supervisory priorities,
the Strategy on Cyber Underwriting,
the Suptech Strategy
– but its focus is less on the specific actions needed in different areas, and more on how EIOPA will support NCAs and the pensions and insurance sectors in facing digital transformations following a
and secure approach
to financial innovation and digitalisation.
Five key long-term priorities have been identified, which will guide EIOPA’s contributions on digitalisation topics:
Leveraging on the development of a sound European data ecosystem
Preparing for an increase of Artificial Intelligence while focusing on financial inclusion
Ensuring a forward looking approach to financial stability and resilience
Realising the benefits of the European single market
Enhancing the supervisory capabilities of EIOPA and NCAs.
These five long-term priorities are described in the following sections. Each relates to areas where work is already underway or planned, whether at national or European level, by EIOPA or other European bodies.
The aim is to focus on priority areas where EIOPA can add value so as to enhance synergies and improve overall convergence and efficiency in our response as a supervisory community to the digital transformation.
LEVERAGING ON THE DEVELOPMENT OF A SOUND EUROPEAN DATA ECO-SYSTEM ACCOMPANYING THE DEVELOPMENT OF AN OPEN FINANCE AND OPEN INSURANCE FRAMEWORK Trends in the market show that the exchange of both personal and non-personal data through Application Programming Interfaces (APIs) is a leading factor leading to transformation and integration in the financial sector. By enabling several stakeholders to “plug” to an API to have access to timely and standardised data, insurance undertakings in collaboration with other service providers can timely and adequately assess the needs of consumers and develop innovative and convenient proposals for them. Indeed, there are multiple types of use cases that can be developed as a result of enhanced accessing and sharing of data in insurance.
Examples of potential use cases include pension tracking systems (see further below), public and private comparison websites, or different forms of embedding insurance (including micro insurances) in the channels of other actors (retailers, airlines, car sharing applications, etc.).
Another use case could consist in allowing consumers to conveniently access information about their insurance products from different providers in an integrated platform / application and identify any protection gaps (or overlaps) in coverage that they may have.
In addition to having access to a greater variety of products and services and enabling consumers to make more informed decisions, the transfer of insurance-related data seamlessly from one provider to another in real-time (data portability) could facilitate switching and enhance competition in the market.
Supervisory authorities could also potentially connect into the relevant APIs to access anonymised market data so as to develop more pre-emptive and evidence-based supervision and regulation.
However, it is also important to take into account relevant risks such those linked to data
ICT/cyber risks and financial inclusion risks are also relevant, as well as issues related to a level playing field and data reciprocity.
EIOPA considers that, if the risks are handled right, several open insurance use cases can have significant benefits for consumers, for the sector and its supervision and will use the findings of its recent public consultation on this topic to collaborate with the European Commission on the development of the financial data space and/or open finance initiatives respectively foreseen in the Commission’s Data Strategy and Digital Finance Strategy, possibly focusing on specific use cases.
ADVISING ON THE DEVELOPMENT OF PENSIONS DATA TRACKING SYSTEMS IN THE EU European public pension systems are facing the dual challenge of remaining financially sustainable in an aging society and being able to provide Europeans with an adequate income in retirement. Hence, the relevance of supplementary occupational and personal pension systems is increasing. The latter are also seeing a major trend influenced by the low interest environment consisting on the shift from Defined Benefit (DB) plans, which guarantee citizens a certain income after retirement, to Defined Contribution (DC) plans, where retirement income depends on how the accumulated contributions have been invested. As a consequence of these developments, more responsibility and financial risks are placed on individual citizens for planning for their income after retirement.
In this context, Pensions Tracking Systems (PTS) can provide simple and understandable information to the average citizen about his or her pension savings in an aggregated manner, typically conveniently accessible via digital channels. PTS are linked to the concept of Open Finance, since different providers of statutory and private pensions share pension data in a standardised manner so that it can be aggregated so as to provide consumers with relevant information for adopting informed decisions about their retirement planning.
EIOPA considers that it is increasingly important to provide consumers with adequate information to make informed decisions about their retirement planning, as it is reflected in EIOPA’s technical advice to the European Commission on best practices for the development of Pension Tracking Systems. EIOPA remains ready to further assist on this area, as relevant.
TRANSITIONING TOWARDS A SUSTAINABLE ECONOMY WITH THE HELP OF DATA AND TECHNOLOGY Technologies such as
or the Internet of Things
can assist European insurance undertakings and pension schemes in the implementation of more sustainable business models and investments.
For example, greater insights provided by new datasets (e.g. satellite images or images taken by drones) combined with more granular AI systems may allow to better assess climate change-related risks and provide advanced insurance coverage. Indeed, as highlighted by the Commission’s strategy on adaptation to climate change, actions aimed to adapt to climate change should be informed by more and better data on climate-related risks and losses accessible to everyone as well as relevant risks assessment tools.
This would allow insurance undertakings to contribute to a wider inclusion by incentivising customers to mitigate risks via policies whose pricing and contractual terms are based on effective measurements, e.g. with the use of telematics-based solutions in home insurance. However, there are also concerns about the impact on the affordability and availability of insurance for certain consumers (e.g. consumers living in areas highly exposed to flooding) as well as regarding the environmental impact of some technologies, notably concerning the energy consumption of certain data centres and crypto-assets.
Promoting a sustainable economy is a core priority for EIOPA. For this purpose, EIOPA will specifically develop a Sustainable Finance Action Plan highlighting, among other things, the importance of improving the accessibility and availability of data and models on climate-related risks and insured losses and the role that EIOPA can play therein, as highlighted by the Commission’s strategy on adaptation to climate change and in line with the Green deal data space foreseen in the Commission’s Data Strategy.
PREPARING FOR AN INCREASE OF ARTIFICIAL INTELLIGENCE WHILE FOCUSING ON FINANCIAL INCLUSION TOWARDS AN ETHICAL AND TRUSWORTHY ARTIFICIAL INTELLIGENCE IN THE EUROPEAN INSURANCE SECTOR The take-up of AI in all the areas of the insurance value chain raises specific opportunities and challenges; the variety of use cases is fast moving, while the technical, ethical and supervisory issues thrown up in ensuring appropriate governance, oversight, and transparency are wide ranging. Indeed, while the benefits of AI in terms of prediction accuracy, cost efficiency and automation are very relevant, the challenges raised by
the limited explainability of some AI systems
and the potential impact on some AI use cases on the fair treatment of consumers and the financial inclusion of vulnerable consumers and protected classes
is also significant.
A coordinated and coherent approach across markets, insurance undertakings and intermediaries, and between supervisors is therefore of particular importance, also given the potential costs of addressing divergences in the future. EIOPA acknowledges that AI can play a pivotal role in the digital transformation of the insurance and pension markets in the years to come and therefore the importance of establishing adequate governance frameworks to ensure ethical and trustworthy AI systems. EIOPA will seek to leverage the AI governance principles recently developed by its consultative expert group on digital ethics, to develop further sectorial work on specific AI use cases in insurance.
PROMOTING FINANCIAL INCLUSION IN THE DIGITAL AGE On the one hand, new technologies and business models could be used to improve the financial inclusion of European citizens. For example, young drivers using telematics devices installed in their cars or diabetes patients using health wearable devices reportedly have access to more affordable insurance products. In addition to the incentives arising from advanced risk-based pricing, insurance undertakings could provide consumers loss prevention / risk mitigation services (e.g. suggestions to drive safely or to adopt healthier lifestyles) to help them understand and mitigate their risk exposure.
From a different perspective, digital communication channels, new identity solutions and onboarding options could also facilitate access to insurance to certain customer segments. On the other hand, certain categories of consumers or consumers not willing to share personal data could encounter difficulties in accessing affordable insurance as a result of more granular risk assessments. This would be for instance the case of consumers having difficulties to access affordable flood insurance as a result detailed risk-based pricing enabled by satellite imagery processed by AI systems. In addition,
other groups of potentially vulnerable consumers deserve special attention due to their personal characteristics (e.g. elderly people or in poverty),
life-time events (e.g. car accident),
health conditions (e.g. undergoing therapy)
or people with difficulties to access digital services.
Furthermore, the trend towards increasingly data-driven business models can be compromised if adequate governance measures are not put in place to deal with biases in datasets used in order to avoid discriminatory outcomes.
EIOPA will assess the topic of financial inclusion from a broader perspective i.e. not only from a digitalisation angle, seeking to promote the fair and ethical treatment of consumers, in particular in front-desk applications and in insurance lines of businesses that are particularly important due to their social impact.
EIOPA will routinely assess its consumer protection supervisory and policy work in view of impacts on financial inclusion, and ensuring its work on digitalisation takes into account accessibility or inclusion impacts.
ENSURING A FORWARD LOOKING APPROACH TO FINANCIAL STABILITY AND RESILIENCE ENSURING A RESILIENT AND SECURE DIGITALISATION Similar to other sectors of the economy, incumbent undertakings as well as InsurTech start-ups increasingly rely on information and communication technology (ICT) systems in the provision of insurance and pensions services. Among other benefits, the increasing adoption of innovative ICT allow undertakings to implement more efficient processes and reduce operational costs, enable data tracking and data backups in case of incidents, as well as greater accessibility and collaboration within the organisation (e.g. via cloud computing systems).
However, undertakings’ operations are also increasingly vulnerable to ICT security incidents, including cyberattacks. Furthermore, the complexity of some ICT or a different governance applied to new technologies (e.g. cloud computing) is increasing as well as the frequency of ICT related incidents (e.g. cyber incidents), which can have a considerable impact on undertakings’ operational functioning. Moreover, relevance of larger ICT service providers could also lead to concentration and contagion risks. Supervisory authorities need to take into account these developments and adapt their supervisory skills and competences accordingly.
Early on, EIOPA identified cyber security and ICT resilience as a key policy priority and in the years to come will focus on the implementation of those priorities, including the recently adopted cloud computing and ICT guidelines, and on the upcoming implementation of the Digital Operational Resilience Act (DORA).
ASSESSING THE PRUDENTIAL FRAMEWORK IN THE LIGHT OF DIGITALISATION The Solvency II Directive sets out requirements applicable to insurance and reinsurance undertakings in the EU with the aim to ensure their financial soundness and provide adequate protection to policyholders and beneficiaries. The Solvency II Directive follows a proportional, risk-based and technology-neutral approach and therefore it remains fully relevant in the context of digitalisation. Under this approach, all undertakings, including start-ups that wish to obtain a licence to benefit from Solvency II’s pass-porting rights to access the Internal Market via digital (and non-digital) distribution channels need to meet the requirements foreseen in the Directive, including minimal capital.
A prudential evaluation respective digital transformation processes should consider that insurance undertakings are incurring in high IT-related costs, to be appropriately reflected in their balance sheet. Furthermore, Solvency II requirement on outsourcing and the system of governance requirements are also relevant, in light of the increasing collaboration with third-party service providers (including BigTechs) and the use of new technologies such as AI. Investments on novel assets such as crypto-assets as well as the trend towards the “platformisation” of the economy are also relevant from a prudential perspective and the type of activities developed by insurance undertakings.
EIOPA considers that it is important to assess the prudential framework in light of the digital transformation that is taking place in the sector, seeking to ensure its financial soundness, promote greater supervisory convergence and also assess whether digital activities and related risks are adequately captured and if there are any undue regulatory barriers to digitalisation in this area.
REALISING THE BENEFITS OF THE EUROPEAN SINGLE MARKET SUPPORTING THE DIGITAL SINGLE MARKET FOR INSURANCE AND PENSION PRODUCTS Digital distribution can readily cross borders and reduce linguistic and other barriers; economies of scale linked to offering products to a wider market, increased competition, and greater variety of products and services for consumers are some of the benefits arising from the European Internal Market.
However, the scaling up the scope and speed of distribution of products and services across the Internal Market is an area where there is still a major untapped potential. Indeed, while legislative initiatives such as the
Insurance Distribution Directive (IDD),
Solvency II Directive,
Packaged Retail and Insurance-based Investment Products (PRIIPs) Regulation,
or the Directive on the activities and supervision of institutions for occupational retirement provision (IORP II)16
have made considerable progress towards the convergence of national regimes in Europe, considerable supervisory and regulatory divergences still persist amongst EU Member States.
For example, the IDD is a minimum harmonisation Directive. Existing regulation does not always allows for a fully digital approach. For instance, the need to use non-digital signatures or paper-based requirements as established by Article 23 (1) (a) IDD and Article 14 (2) (a) PRIIPs Regulation can limit end-to-end digital workflows. It is critical that the opportunities – and risks, for instance in relation to financial inclusion and accessibility – that come with digital transformations are fully integrated into future policy work. In this context, the so-called 28th regime used in Regulation on a pan-European Personal Pension Product (PEPP)17, which does not replace or harmonise national systems but coexists with them, is an approach that could eventually be explored taking into account the lessons learned.
EIOPA supports the development of the Internal Market in times of transformation, through the recalibration where needed of the IDD, Solvency II, PRIIPS and IORP II from a digital single market perspective. EIOPA will also explore what a digital single market for insurance might look like from a regulatory and supervisory perspective. Furthermore, EIOPA will integrate a digital ‘sense check’ into all of its policy work, where relevant.
SUPPORTING INNOVATION FACILITATORS IN EUROPE In recent years many NCAsin the EU have adopted initiatives to facilitate financial innovation. These initiatives include the establishment of innovation facilitators such as ‘innovation hubs’ and ‘regulatory sandboxes’ to exchange views and experience concerning Fintech-related regulatory issues and enable the testing and development of innovative solutions in a controlled environment and to learn more as to supervisory expectations. These initiatives also allow supervisory authorities to gather a better understanding of the new technologies and business models taking place in the market.
At European level, the European Forum for Innovation Facilitators (EFIF), created in 2019, has become an important forum where European supervisors share experiences from their national innovation facilitators and discuss with stakeholders topics such as Artificial Intelligence, Platformisation, RegTech or crypto-assets. The EFIF will soon be complemented with the Commission’s Digital Finance platform; a new digital interface where stakeholders of the digital finance ecosystem will be able to interact.
Innovation facilitators can play a key role in the implementation and adoption of innovative technologies and business models in Europe and EIOPA will continue to support them through its work in the EFIF and the upcoming Digital Finance Platform. EIOPA will work to further facilitate cross-border / cross-sector cooperation and information exchanges on emergent business models.
ADDRESSING THE OPPORTUNITIES AND CHALLENGES OF FRAGMENTED VALUE CHAINS AND THE PLATFORM ECONOMY New actors including InsurTech start-ups and BigTech companies are entering the insurance market, both as competitors as well as cooperation partners of incumbent insurance undertakings.
Concerning the latter, incumbent undertakings reportedly increasingly revert to third-party service providers to gain quick and efficient access to new technologies and business models. For example, based on in EIOPA’s Big Data Analytics thematic review, while the majority of the participating insurance undertakings using BDA solutions in the area of claims management developed these tools in-house, two thirds of the undertakings reverted to outsourcing arrangements in order to implement AI-powered chatbots.
This trend is reinforced by the platformisation of the economy, which in the insurance sector goes beyond traditional comparison websites and is reflected in the development of complex ecosystems integrating different stakeholders. They often share data via Application Programming Interfaces (APIs) and cooperate in the distribution of insurance products via platforms (including those of BigTechs) embedded (bundled) with other financial and non-financial services. In addition, in a broader context of Decentralised Finance (DEFI), Peer-to-Peer (P2P) insurance business models using digital platforms and different levels of decentralisation to interact with members with similar risks profiles have also emerged in several jurisdiction; although their significance in terms of gross written premiums is very limited to date, it is a matter that needs to be monitored.
EIOPA notes the opportunities and challenges arising from increasingly fragmented value chains and the platformisation of economy which will be reflected in the ESAs upcoming technical advice on digital finance to the European Commission, and will subsequently support any measures within its remit that may be needed to
encourage innovation and competition,
safeguard financial stability
and ensure a level playing field.
ENHANCING THE SUPERVISORY CAPABILITIES OF EIOPA AND NCAS LEVERAGING ON TECHNOLOGY AND DATA FOR MORE EFFICIENT SUPERVISION AND REGULATORY COMPLIANCE Digital technologies can also help supervisors to implement more agile and efficient supervisory processes (commonly known as Suptech). They can support a continuous improvement of internal processes as well as business intelligence capabilities, including enhancing the analytical framework, the development of risk assessments and the publication of statistics. This can also include new capabilities for identifying and assessing conduct risks.
With its European perspective, EIOPA can play a key role by enhancing NCAs data analysis capabilities based on extensive and rich datasets and appropriate processing tools.
As outlined in its SupTech strategy and Data and IT strategy, EIOPA has the objective to promote its own transformation to become a digital, user-focused and data driven organisation that meets its strategic objectives effectively and efficiently. Several on-going projects are already in place to achieve this objective.
INCREASING THE UNDERSTANDING OF NEW TECHNOLOGIES BY SUPERVISORS IN CLOSE COOPERATION WITH STAKEHOLDERS Building supervisory capacity and convergence is a critical enabler for other benefits of digitalisation; without strong and convergent supervision, other benefits may be compromised. With the use of different tools available (innovation hubs, regulatory sandboxes, market monitoring, public consultations, desk-based reports etc.), supervisors seek to understand, engage and supervise increasingly technology-driven undertakings.
Closely cooperating with stakeholders with hands-on experience on the use of innovative tools has proofed to be useful tool to improve the knowledge by supervisors, and also for the stakeholders it is important to understand what are the supervisory expectations.
Certainly, the profile of the supervisors needs to evolve and they need to extend their knowledge into new areas and understand how new business models and value chains may impact undertakings and intermediaries both from a conduct and from a prudential perspective. Moreover, in view of the growing importance of new technologies and business models for insurance undertakings and pensions schemes, it is important to ensure that supervisors have access to relevant data about these developments in order to enable an evidence-based supervision.
EIOPA aims to continue incentivising the sharing of knowledge and experience amongst NCAs by organising InsurTech roundtables, workshops and seminars for supervisors as well as pursuing further potential deep-dive analysis on certain financial innovation topics. EIOPA will also further emphasise an evidence-based supervisory approach by developing a regular collection of harmonised data on digitalisation topics. EIOPA will also develop a stakeholder engagement strategy on digitalisation topics to identify those actors and areas where the cooperation should be reinforced.