Insight: Four Letters to Study
For life insurers, that would be 'r-i-s-k.'
Just one word embodies the overwhelming mandate for life insurers today to manage their business with a solid risk-based approach. Corporate boards, rating agencies and regulators increasingly demand that risk be managed on an enterprisewide scale. At the same time, they want to see organizations "go deep" to ensure that appropriate and complete risk identifications, assessments, controls, audits and reports are carried out.
The real objective of enterprisewide, risk-based management or governance programs is to help organizations approach risks more intelligently. This hinges on understanding and aligning the companies' risk appetites with their risk initiatives. Inherently a rigorous approach, these positive elements provide a fluid web of oversight destined to respond to both internal and external scrutiny.
While the risk-based management mandate is certainly not exclusive to life insurers, there is little doubt that the life industry has faced unprecedented scrutiny over the past few years. Life insurance benefits claims processes "claimed" an elevated level of attention from state regulators, with the targeted multistate exams and the expectation of follow-up exams to assess sustained implementation of new processes. Anti-money laundering policies and procedures and suitability requirements are high-profile issues which continue to concern life insurers, despite both of the issues having had requirements established several years ago.
The recent Anthem breach has highlighted the very real cybersecurity threat that all insurers face. It has also awakened regulatory and judicial inquiries, among other potential sources of scrutiny. For example, New York's Department of Financial Services announced plans Feb. 8 to "integrate regular, targeted assessments of cybersecurity preparedness at insurance companies as part of the department's examination process; put forward enhanced regulations requiring institutions to meet heightened standards for cybersecurity; and examine stronger measures related to the representations and warranties insurance companies receive from third-party vendors, among other measures."
All of these vulnerable areas should be assessed; they beg for the development of strategies with a risk-based approach. This is the new mantra of life insurers. One of the current and long-tested risk management processes actually involves the managing of compliance risk. Insurance compliance professionals know that 90% of adopted regulations become effective within 60 days of adoption, as do almost half of enacted laws. With these short-term time frames, identifications, assessments, implementations and controls must be managed with lightning speed in many cases.
Taking a look at processes within life insurers' own organizations may reveal the basic, but nevertheless effective, systems of defining, identifying, evaluating, implementing, controlling, auditing and reporting elements of managing that "four-letter word." Adapting this model to managing other risks, enterprisewide, is a valid option.
From managing compliance risk to managing financial risk, and all risks in between, life insurers have much to deal with in addition to the regular ebb and flow of legislative and regulatory requirement changes. With ORSA requirements commencing in 2015 in many jurisdictions, and the NAIC's pending Corporate Governance Annual Disclosure Model Act and supporting Model Regulation, the drive continues and intensifies for additional information on the corporate governance practices of U.S. insurers to be provided to regulators on a regular basis.
In other words, R, I, S and K, the four letters of the alphabet which have historically defined the insurance industry, spell a word that has a new and critical meaning for 2015 and beyond.
(Best's Review contributor Kathy Donovan is senior compliance counsel for the Insurance Compliance Solutions group at Wolters Kluwer Financial Services. She can be reached at kathy.donovan@wolterskluwer.com)
