What is ERM? Enterprise Risk Management (“ERM”) - the process of planning, organizing, leading, and controlling all activities of a company in an integrated fashion in order to minimize the effects of risk on the company’s capital and earnings. A view of the “whole world” of risk throughout a company…
Before ERM - Silos “Silo approach” (no collaboration or standardization btw business units) Qualitative risk assessments (lack of other methods in use) Risk avoidance / reactive risk controls (rather than proactive) Risks with no owners Limited-risk mitigation scope Limited regulatory scrutiny Risk is only seen as threats 5
With ERM – Integration Addresses risks in a broader way Better communication amongst management and whole company Streamlined management of risk, with ability to PRIORITIZE risks Assigns and ensures risk ownership and accountability Flexible to grown and change with company, as environment changes Addresses opportunities too 6
Compliance Risk: A Fundamental ERM Pillar Compliance risks are only part of the ERM picture, but they are some of the most significant risks to the company from a financial perspective, ranking high in priority for managerial review and action. The challenge facing many compliance professionals today is how best to integrate compliance risks into a wider world of risk in a formal ERM structure.
Why ERM for Insurers? RegulatoryDrivers Solvency II, European SOX Dodd-Frank Regulators/Audits Banking and Securities Business Drivers Strategic Analysis Rating Agencies (S&P, AM Best, Moody’s) Financial Auditors Shareholders and other stakeholders 8 * NAIC Risk Management and Own Risk Solvency “RMORSA” Model Act *
NAIC Activity & Developments December 2010 NAIC adopted significant revisions to the Insurance Holding Company System Regulatory Act (Model 440) and the Insurance Holding Company System Model Regulation (Model 450) Perceived risk to insurance companies from non- regulated entities within their holding company structure Enterprise Risk defined Enterprise Risk Reporting Form – Form F at least annually 9
NAIC Activity & Developments “Enterprise Risk” is any activity, circumstance, event or series of events involving one or more affiliates of an insurer that, if not remedied promptly, is likely to have a material adverse effect upon the financial condition or liquidity of the insurer or its insurance holding company system as a whole, including, but not limited to, anything that would cause the insurers Risk-Based Capital to fall into company action level … or would cause the insurer to be in a hazardous financial condition. 10
NAIC Activity & Developments Form F Reporting Requirements –Material developments re: strategy, internal audit findings, compliance on risk management affecting the insurance holding company system. –Acquisition or disposal of insurance entities and reallocating of existing financial or insurance entities with the insurance holding company system. –Shareholder changes of the insurance holding company system exceeding 10% or more of voting securities. –Developments in various investigations that may have a significant bearing or impact on the insurance holding company system. 11
NAIC Activity & Developments Form F Reporting Requirements –Business plan of the insurance holding company system and summarized strategies for the next 12 months. –Identification of material concerns of the insurance holding company system raised by supervisory college, if any, in the past year. –Indentification of insurance holding company system capital resources and material distribution patterns. –Indentification of any negative movement, or discussions with rating agencies that might have caused or might cause, potential negative movement in the credit ratings 12
NAIC Activity & Developments Form F Reporting Requirements –and individual insurer financial strength ratings assessment of the insurance holding company system (including both the rating score and outlook. –Information on corporate or parental guarantees throughout the holding company and the expected source of liquidity should such guarantees be called upon. –Identification of any material activity or development of the insurance holding company system that, in the opinion of senior management, could adversely affect the insurance holding company system. 13 F2MRL4
In this Summary Report, insurers (over $500M in premium or groups writing over $1B) are asked to provide detail to state regulators in three key sections: Section 1 – Description of the Insurer's Risk Management Framework, including, per the ORSA Guidance Manual, descriptions of the company’s: –Risk Culture and Governance. –Risk Identification and Prioritization –Risk Appetite, Tolerances and Limits –Risk Management and Controls –Risk Reporting and Communication 14 The NAIC RMORSA Model Act
The NAIC RMORSA Report (cont.) Section 2 — An Insurer's Assessment of Risk Exposures Describe how company assesses material and relevant risks to its business strategy. Requires quantification of risks under a range of outcomes using actuarial measurement or modeling techniques (scenarios and stress tests) to evaluate material risks against a “risk tolerance” or “appetite.” –Reviewed categories can include such risks as credit, market, liquidity, cash flow, underwriting, claim, expense, and operational risks. –Some risks can’t easily be quantified, such as reputational risk, but nevertheless should be tracked and considered as part of the analysis. 15
NAIC RMORSA Section 3 — Group Risk Capital and Prospective Solvency Assessment Documents how the company combines the qualitative elements of its risk management policy and the quantitative measures of risk exposure in determining the level of financial resources (capital and surplus) it needs to manage its business and execute its business plans. Models over a longer term than previously expected by regulators, typically 2-5 years. 16
NAIC Activity & Developments State adoption of NAIC Holding Co. changes required. –Connecticut, Kentucky, Louisiana, and Rhode Island –Florida attempted to pass bill to adopt NAIC changes, but it did not pass. –RMORSA Model Act Passage also in progress Confidentiality of Information –State public records laws Exemptions Trade secret 17
Recap Benefits of ERM for Compliance BEFORE ERM “Siloed” approach Weak risk assessment process Qualitative measurements Reactive focus on mitigation Risks ID’d but not Owned Risks perceived only as threats AFTER ERM Collaborative approach Strong risk assessment process Quantitative measurements Proactive focus, “best practices” controls Risks Owned, monitored Better alignment of all business units towards strategic company goals
As a Result… New perspectives on risks are obtained Re-evaluation/revision of staff assignments, workflows, and attestation processes Priorities are more easily set Encourages strengthening of controls, procedures Opportunities for adopting “best practices” Increases the profile & value of Compliance Compliance can do a better job 21
Challenge #1: Defining the Compliance Function There are many ways to define what “compliance risks” are, and how/by whom they should be managed. The range of risks that could be considered “compliance risk” is very broad, varies by company. May include: –Violation of the company’s Code of Conduct and Ethics; –Failure to adhere to state laws regarding advertising to and communications with policyholders; –Non-compliance specifically with policy rate and form filing procedures; –Violation of “good-faith” claim handling laws and regulations; or –Breach of internal underwriting guidelines and authorities. 22
Challenge #2: Keeping Risks/Controls Updated Constant need to keep abreast of changes in compliance and regulatory risk, carried through to the ERM program. Over 11,000 new laws and regulations proposed, over 3,000 enacted or adopted annually. –New /emerging risks must be captured and shared –Pure number of risks makes categorization difficult –Need to re-score and re-prioritize identified risks –Controls must be flexibly designed, updated frequently Compliance team may best positioned to help manage regulatory change for multiple departments….
Challenge #3: Assessing Compliance Risk Quantifying risk may be another special challenge for Compliance in the ERM process. –Compliance may not be used to evaluating risk frequency or severity, or prioritizing compliance/risk issues –Have to also consider departments outside of Compliance which may be impacted by a compliance breach. –May be limited company or industry data on certain types of compliance losses or risks »Resources: Laws, Regulations, NAIC, State DOIs, News, 3 rd -partyDatabases, Published Market Conduct Exams
Challenge #4 – Developing “Best Practice” Controls Day-to-day “Policies and Procedures” are some of the most important kinds of key “ERM controls.” The two concepts are different, but should be kept as integrated. Risks Controls Policies Procedures Failure to keep Compliance Risk Management, Policies and Procedures, and ERM Controls aligned and cross- checked can lead to staff confusion, duplicate or inefficient workflows, missed regulatory changes, and poor management of risks overall.
The Risk: Improper underwriting, or underwriting loss, due to a violation of a policy limit authority Key Controls, as listed in an ERM Control Library/Register: Underwriting Guidelines by line of business Management delegation of approval of U/W authority System Controls to prevent override of U/W authority, entering in contract Related Policies & Procedures, including protocols for: Ensuring U/Ws receive an Underwriting Authority Letter upon hire (HR, U/W management responsibility) For Policy(contract) issuance to policyholder, and recording of policy data in systems (U/W support or Operations, Finance, IT) Disclosure Committee procedures for Breach Reporting, such as quarterly reports to Compliance/Risk/Disclosure Committee of Breach of U/W Authorities (Compliance, Risk, Legal) 26 Example, an Underwriting Risk…
Integrating Compliance into ERM Efforts The Compliance team should be given more advance notice of strategic issues faced by other departments. This includes more information about new product lines, business partners, vendors, and other initiatives. The more information Compliance has, and the earlier they have it, the better Compliance staff can assess related compliance or regulatory risks and controls, to offer meaningful input into any decision-making process. Managing the compliance risk of any new business initiative is a key first step on the road to success.
All departments should coordinate efforts on identifying and sharing “emerging risks” and trends in their area of responsibility, and create a communication loop to understand risks seen by other areas (legal, finance, etc.) Use Compliance team members in ERM projects, as leaders or participants, such as reviewing or auditing certain cross- departmental controls, developing key performance indicators, or improving management ERM reports. –Better integrate ERM controls with compliance “policies and procedures.” Frequently self-assess the ERM program against Compliance initiatives group-wide for any gaps or areas of duplication. 28
Widen the audience who receives news of compliance breaches, and increase focus on the “group-wide” impact of compliance violations. This will help the ERM team and management, see compliance problems from multiple angles, in terms of the potential harm to the company’s reputation, loss of business, and strained agent, broker or reinsurance relationships. Communication of how compliance risks actually develop, and how they are managed or dealt with in practice, helps educate other departments about losses inherent in the business, and potential solutions for mitigating future losses. 29
Conclusion: Compliance as Star Performers Despite the challenges that Compliance professionals may face while implementing an ERM program, they can also provide crucial skills, wide perspective and valuable insight to help a company assess legal and regulatory risk. Solid compliance risk management is crucial to enterprise risk management, and can provide a strong foundation for broader evaluation of risks and controls across the company. Compliance professionals should be star performers on every ERM team.