Category: Cyber Security

COSO due for renewal

COSO due for renewal


The widely adopted COSO (Committee of Sponsoring Organizations of the Treadway Commission) risk framework, frequently utilized in the implementation and auditing of standards such as ISAE 3402 or ISO 27001, is due for a comprehensive update.

ICIF – the new model

Due to strong market changes, the COSO II ERM framework was outdated. A framework was needed that was responsive to, and took into account, current market conditions while being flexible enough to be applicable to a wide range of organisations: Internal Control – Integrated Framework (ICIF). The framework is also expected to enable organisations to meet rapidly changing market demands without incurring more risk.

The biggest changes are the minimisation of the COSO cube (the number of components has been reduced). In addition, the model has moved to a ‘principle-based structre’ where 17 principles form the foundation for the model. Also, given recent developments, the new model has placed more emphasis on the IT component.

From late 2011 to March 2012, the committee solicited feedback from the market on the framework. This feedback is currently being critically assessed by the committee and will largely be incorporated into the final version of the framework.

Control Reports

Control Reports


Due to current developments in outsourcing and the associated risk management, SASconsult has developed an implementation model that enables a cost-efficient ISAE 3402 implementation. This model (the SAS | Modeller) is delivered in a web tool that includes the process flows. The result is that the processes and controls required under ISAE 3402 are visible to everyone (via, for example, the intranet). We have already successfully implemented the SAS | Modeller at various property managers, IT organisations, and other financial institutions. For more information about the SAS | Modeller and its possibilities for your organisation, please refer to SAS | Modeller.

Solvency II delay until 2014 – what does it mean for insurers?

Solvency II delay until 2014 - What does it mean for insurers?

EIOPA’s final postponement regarding the implementation of Solvency II in Europe (the start date is now set for January 1, 2014) ends an uncertain time for insurers. The reason for the postponement, announced in late 2011, has since been explained through Q&As and consultation papers. However, a number of questions remain unanswered, such as:

  •  When will the outstanding issues (that emerged from the consultation papers, for example) be resolved?
  • To what extent can insurers implement Solvency II in 2013?
  • What are the minimum obligations regarding Solvency II (reporting, parallel run etc) for insurers during 2013?

These, and other questions, remain largely unanswered in the Q&As and consultation papers issued by EIOPA in the recent period. Insurers should look for answers themselves.

What can an insurer do?

Meetings of the European Parliament show that significant differences need to be resolved in the coming period. So there is a chance that, in the short term, there will be no real clarity from Brussels. The question then is whether the DNB can provide more clarity. To a certain extent: yes. It has done this in the past with the so-called Parallel Run. Here a number of points were (intentionally) left open by the EU. At the time, for the sake of clarity for insurers, these points were filled in by the DNB. It remains to be seen whether the DNB can do the same in this case. Take the obligations regarding Solvency II during 2013. Can the DNB draw a clear line here that the EU cannot? Time will tell.
 
Currently, the best way for insurers to prepare for the implementation of the Solvency II directive is to keep up the parallel run, follow developments closely (e.g., the Omnibus II) and stay in frequent dialogue with the DNB.