Aug 5 ’11

Compliance Options: Solvency II Compliance: The New Kid in Town

by Gwen Thomas in z/Journal

Remember Sarbanes-Oxley (SOX)? It was supposed to ensure that controls were in place to make certain that a publicly traded company’s stated finances were in line with their actual finances. A provision of the law, SOX 404 was responsible for billions of dollars of remedial data and technology documentation and controls. If you work in an environment large enough to warrant a mainframe, chances are SOX 404 impacted how your department works with data.

The funny thing about SOX is that it had a ripple effect on IT groups. Some organizations that weren’t subject to SOX touched the data of affected organizations, and therefore, had to attest and prove they also had effective controls in place. And once the concept of attestations (the declarations of accountable parties) were introduced into IT departments for the purpose of SOX compliance, a lot of organizations started using them for other purposes. In other words, it was no longer good enough for managers and architects to write “no problems” in their status reports. They were required to attest they knew what their objectives were and that they had personal knowledge of the actual state of progress against control objectives. IT people weren’t subject to jail time for lying the way CEOs and CFOs were. But still, employment for some IT staff hinged on these attestations.

But SOX is old news. The new news is Solvency II. It’s focused on the rationalization, harmonization, and modernization of insurance regulation in the European Union (EU).

Solvency II’s primary objective is to strengthen policyholder protection by aligning a firm’s capital requirements (the money they must have available) more closely with their risk profile. This directive seeks to instill risk awareness into the governance, operations, and decision-making of the business. And it has huge ramifications for how data is managed within the organization.

Not in Europe? Not in insurance? Think this has nothing to do with you? Think again. Solvency II requirements are providing a type of framework that’s often getting embedded into organizations’ larger Governance, Risk, and Compliance (GRC) efforts. The data portion is so common-sense that it may become a defacto standard in GRC parlance. Why should you care? GRC frameworks are used by senior leadership to align projects, processes, human resources (jobs!), and systems. IT-focused frameworks generally need to align to GRC frameworks, rather than vice versa. So, it would behoove you to know what Solvency II data ramifications include.

Here are some regulatory requirements and European Insurance and Occupational Pensions Authority (EIOPA) comments in relation to data quality, courtesy of Ernst & Young’s guide, “Getting Up to Speed: Solvency II Data and Systems.”

Key activity and regulatory driver:

Look familiar? I’ll bet these are what you’ve been preaching about your entire career! Well, now might be the time to write a memo about what needs to be done about them in your environment.