The evolution of the Basel and Solvency II regulations over the last few years has developed, extended and updated most of the rules laid down in these directives. Most companies in the financial sector have gradually and effectively incorporated them.
Focusing on Pillar II and its impact on IT, in this post we will talk about one of the articles related to internal control and its contribution to the business.
In order to position our readers, we have transcribed the part of the normative text that is adapted, in this case to the insurance sector, to cite one in particular, to this article:
ART.46: Internal control
Insurance and reinsurance undertakings shall set up an effective internal control system. That system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a compliance function.
(EIOPA) Guideline 33: Internal Control Environment
In accordance with Article 46 of the Solvency II Directive, the supervisory authorities should ensure that the undertaking promotes the importance of adequate internal controls by ensuring that all staff are aware of their role in the internal control system. Control activities should be proportionate to the risks arising from the activities and processes to be controlled.
In accordance with Article 246 of the Solvency II Directive, the supervisory authorities should ensure that the responsible entity ensures that the internal control systems apply throughout the group.
(EIOPA) Guideline 34: Monitoring and Reporting
In accordance with Article 46 of the Solvency II Directive, the supervisory authorities should ensure that the undertaking establishes that the control and reporting mechanisms of the internal control system provide the administrative, management and supervisory body with relevant information for the decision-making processes.
Application in ICTs
- Procedure-oriented regulations, IT procedures are included.
- Internal controls.
- Monitoring.
- Relevant information: Dashboards and reports
I know that often regulatory or procedural aspects are not always well appreciated by certain areas of the business. It is as if with those rules and procedures they lose freedom and thus productivity, when, with a few exceptions, it is quite the opposite. The rules oblige us and therefore they are not elusive or questionable, but the procedures are limited to say how the operations should be carried out so that they are executed in an optimal and controllable way, so they guarantee that the actions are carried out in the best possible way and that they leave traces of the process to be able to control it.
If someone feels that the procedures are in some way detrimental to the effectiveness and efficiency of their area, it is because they have not developed the procedures with best practices in mind, or have done so with a backward eye and do not reflect what should really be done, or because IT has not been available at a level that allows for optimal levels of automation. And; on the other hand, if the fact of leaving a record of what is being done is what causes the rejection of the procedures, under the argument of an overload of work, it is because the knowledge of what is happening is not adequately valued to be able to analyze it and improve it.
Processes that go into a loop, due to bad design, increased response times in critical services, obsolete processes that no longer have a function to be, etc. These are some of the cases that can be found in any data center.
Establishing an adequate monitoring of these processes, through the traceability of their "fingerprint", allows to know their operation, improve it and reduce the time, the resources they use (disk, memory, technical staff, etc.) and therefore the costs of each process, offering also an improvement of the image, both of the IT department, and of the company itself.
The monitoring of the processes allows to measure the improvements introduced in the optimization of the same ones, to control the risks and to quantify the costs. All of this is always highly valued by the areas directly involved in the outcome.
If in this process we manage to consolidate the monitoring of these and that we are able to obtain complete traceability of the information, the success will be even greater.
The traceability of the data allows us to verify, modernize and improve the different operations, which at present is usually one of the workhorses in our sector. The growth of different businesses and their location in incompatible technological systems has been from the beginning a source of problems in the consolidation, data governance and information improvement.
As the adaptation of these Legacy systems is neither simple, nor economic, nor fast, having an alternative that reduces risks and costs is something that will help companies to have an alternative plan while other measures are taken in the medium/long term.
Solvency II and the adequate management of processes (digital footprint and its monitoring), can be the lever that helps change and makes possible a modernization of these, the control and governance of data and the mitigation of associated risks.
