Internal model approval
While preparing for the upcoming PillarOne-Workshop I discovered the chapter titled "External Models and Data" in CEIOPS' Advice on Articles 120 to 126, i.e. on "Tests and Standards for Internal Model Approval".
In section 10.4 4 CEIOPS states:
"Undertakings emphasized the need for a thorough understanding of the software features to enable them to make the most appropriate modeling choices."
Agreed. However, the article continues with a caveat:
"However, given the external providers’ interest in maintaining the confidentiality of certain key aspects of their products, most undertakings expressed concerns about the level of disclosure provided. Undertakings stressed that this may hamper their ability to meet the Solvency II validation and statistical quality standards with respect to external data and model components."
This is exactly where PillarOne comes to the stage; where we see the advantages of open source. PillarOne provides the ultimate level of disclosure: Code and documentation can be verified (http://github.com/pillarone) and test cases can be verified and expanded.
Flipping some pages to article 10.32. I shall list them without further comment:
"The use of External models and data increases an undertaking's dependence on third parties (service providers), which may increase or at least could change the risk profile of the undertaking. Some of the risks related to the outsourcing activity include
• Strategic risk (For example, failure to implement appropriate oversight of the service provider, inadequate expertise to oversee the service provider, intellectual black box),
• Reputational risk (For example, poor service from the service provider, service provider practices not in line with practice of the undertaking),
• Compliance risk (For example, service provider not adequately complied with standards and practices, inadequate compliance systems and controls by the service provider),
• Operational risk (For example, technology failure, fraud or error, risk that undertakings find it difficult or costly to undertake reviews of the service provider, the service provider might fail to perform),
• Exit-strategy risk (For example, the risk that appropriate exit strategies are not in place, over-reliance on the service provider, the loss of relevant skills in the undertaking itself preventing it from bringing the activity back in-house, contracts which make a speedy exit prohibitively expensive, limited ability to return to an in-house approach due to lack of staff or loss of intellectual history),
• Contractual risk (For example, the ability to enforce contract, settlement of disputes),
• Access risk (For example, the outsourcing arrangement hinders ability of regulated entity to provide timely data and other information to regulators, additional layer of difficulty in regulator understanding activities of the service provider) and
• Concentration and Systemic risk (For example, the overall insurance industry has significant exposure to a small set of service providers and systemic risk to the insurance industry as a whole.)"