Expect a Governance and/or Control Review
In this article we highlight a trend which Directors including NEDs, General Counsels and Compliance officers should be aware of arising from the implementation of Brexit solutions.
Both the PRA and FCA continue to have governance as an issue requiring attention in their 2019/20 Business Plans and Lloyd’s has a series of governance issues to cover this year including governance over annual planning, governance over underwriting controls, shared services and branch offices. Additionally, historically, the FSA and then PRA and FCA have been interested to know how and what changes are made within the governance and control environments when a merger, acquisition or reorganisation has taken place.
Despite all of the work undertaken by firms to manage and oversee the implementation of their Brexit solutions and the regulatory oversight involved in obtaining consent we are seeing a trend involving increased scrutiny of the governance and control arrangements resulting from these reorganisations.
It is no secret that a lot of insurance groups and intermediaries are implementing their Brexit solutions. It should also not be a surprise that Europe provides a reasonable amount of inwards insurance business to the London Market (according to some sources it is in excess of £2 billion into the Lloyds’ market alone) and the insurers and intermediaries in the market wish to protect that business by being ready for the worst. At the same time, they are being advised by their regulators the FCA and PRA that they must continue to plan for a hard Brexit.
In many cases arrangements have been finalised, licenses in the EU and UK obtained and transfers of books of business undertaken or cross border mergers implemented. In others these arrangements are not too far away from being completed. These changes and arrangements take a long time to prepare, plan and implement because of the complexities of dealing with the capital, finance, regulatory, tax, operational, customer, people and other issues and they require regulatory approval and in the case of Part VII transfer a Court approval. The moving of a significant book of business from one company to another can have a significant impact on many aspects of both companies no matter how it is achieved as can the setting up of a new branch.
The expectation is that a firm undertaking a reorganisation will consider the impact of the corporate change on governance and control aspects of the business and anticipate that any reorganisation will intrinsically include a plan for review of these areas. This current spate significant changes, however, appears to be resulting in a more intrusive approach from the regulators with more questions being asked and more regular requests for an independent review being made.
The questions being asked include:
- What changes have been made at Board and Committee level and whether the governance structure remains appropriate
- What changes have been made within the control functions including risk, compliance, actuarial and internal audit and whether they remain fit for purpose
- What changes have been made to the activities and controls operated by the businesses and/or control functions and the reporting in to Board and Board Committees
- What changes have been made to other significant functions including Finance and Operations/IT as well as claims which may bear upon the firms’ ability to service their customers’ needs
- Whether the new corporate structure gives rise to additional stretch for individuals at Board and in management and control functions
- How potential conflicts of interest have been identified and dealt with
- For firms which are wholly owned subsidiaries of overseas groups, what impact the changes have had on any influence exercised by the group on governance of the local entity
Most firms going through a Brexit reorganisation have probably already had to make applications for new Senior Function Holders and will have experienced the increase in oversight from the PRA and FCA in relation to approval of individuals under SMCR. As providers of preparatory interview training, we have heard and seen first hand how much more rigorous the approach has become. In many cases Firms also require an Independent Expert to provide a report on the impact of the transfer on customers to ensure that there is no material adverse impact on the customer whether in terms of security (credit risk) or service levels. These reports are viewed by the regulators before they give consent to the transactions involved.
However, even with these approvals being given the regulators are remaining unsatisfied with what they have seen in the planning for Brexit reorganisations in terms of governance and control changes. In many cases we have seen the Brexit project plans focussed on the tax, capital, finance, operational, IT/ claims, regulatory and people aspects including workstreams for governance and/or controls within actuarial, compliance risk and internal audit functions.
However, the oversight of reorganisations such as the implementation of a Brexit project have often failed to ensure that there is a documented deeper consideration of the impact of the changes on the Governance or control environments such as ensuring that there is an appropriate level of Board and/or Board Committee oversight. Reports to Boards and Committees on progress of the Brexit projects have focused on the process of completing the project and potentially some of the trickier aspects such as capital or tax and customer outcomes but may not have considered or reported in any detail on the changes in governance and controls. On completion of the projects there has been no subsequent review of the higher-level question of the impact of the project on these areas of the business which might have been performed by internal audit or an independent third party. Consequently, the Board and/or Board Committees may not have had the opportunity to ask or receive the answers to the questions we have detailed above.
This can be exacerbated by the fact that some of the changes have been taking place within the governance and board structure itself. In cases where there is no Nominations Committee, or the Nom Co and/or Audit Committee as appropriate were not engaged in consideration of the changes, companies can be charged with failure by “Group Think”. That is where everyone knows that the changes are taking place and are implementing them, but it is happening as a matter of course because the Brexit solution needs to be implemented rather than with any objectivity as to whether the changes at Board and within Governance or the control environment are appropriate.
It is this which is driving the regulators to look again at the issue. If the process of Board or Board Committee review of the impact of changes to governance and controls is not evident and fully documented with challenge by Executive and Non-Executive Directors where appropriate, it has not happened. Thus, the present interest of the regulators in understanding how oversight of appropriateness of changes to governance and controls and maintenance of effectiveness of controls was assured. In some cases, this has been flagged early by the PRA or FCA in their annual PSM letters but not in every case. It has however led to a number of recent reviews of governance and control environments.
Boards, including NEDs need to consider whether during the reorganisation they were provided with sufficient and appropriate information about all of the changes to the company’s governance, controls and controls functions and that they took appropriate steps to be satisfied that the changes were appropriate.
What to Do
What to do now is dependent on where you are in the process. If you have not completed your Brexit solution, there is time to ensure that you are properly documenting the changes to the Controls and controls environment and reporting to the Board or Audit committee on those changes and the impact they are having on the controls and resources within the control functions. You may even wish to consider having the Internal Audit team include within its Plan for this year a review of the control functions post-reorganisation for the purposes of reporting to the Audit Committee. You may also wish to plan a Board Governance and Control review using an external third party and take it as an opportunity to also undertake a Board Effectiveness review so as to kill two birds with one stone.
If you have completed your Brexit solution, review your planning documents to determine whether you feel the Board was given sufficient information about the impact of the changes. Ask your Chairman for his view as he is likely to be the individual that the PRA or FCA will ask as to whether there was a detailed and documented review. In either case if the answer is that you are not satisfied that the Board was given good opportunity to consider the changes to governance, controls and the control functions then the next question will be what to do about it. Internal or external assessment. Internally you could have each of the control functions present a report on the changes or you might have Internal Audit undertake an assessment. Externally a review by a third party will ordinarily not only ensure independence but also objectivity allaying any concerns the Board or any regulators may have.