Tag Archives: audit

4 Myths About Independent Agents

While speaking at an insurance conference recently, I shared examples of how e-signatures are transformative because the technology now makes it possible to fully digitize the insurance sales and service process. “Imagine if tomorrow all your printers and filing cabinets disappeared,” I offered. Afterward, an agent approached me and said, “I don’t get what the big deal is with electronic signatures, anyway. My customers want to sit down with me and have me walk them through their policy.”

This isn’t the first time I have been challenged in this way. Evidently, some agents in the audience were left with the impression that digitization would replace personal service – an outdated fear among some seasoned insurance agents. This misconception often holds agents back from offering the best possible customer experience and become a roadblock to increasing their business.

Historically, the insurance business has been a personal one. Producers knew their customers well; knew their families, their businesses, their tolerance for risk. The entrance of direct writers onto the insurance scene has, indeed, removed some of that intimacy. But for independent agents, adding a modern, e-signing option to the buying experience doesn’t quash their personal touch.

Let’s debunk the four most common myths among independent agents:

Myth #1   Digital means “self-serve”

The goal of automation is not to remove human interaction; the goal is to provide a more efficient, error-free customer experience. E-signatures have been adopted across all channels in insurance, from remote call centers to face-to-face client meetings. Regardless of channel, we are still seeing customers continue to call advisers and meet with their agents; but at signature time, there is no printing, just an email invite with a link to e-sign.

Myth #2   Technology detracts from quality of service

Some agents believe that technology detracts from the quality, consultative and personalized service upon which they have built their business. The adoption of digital processes does not dilute the continuing value that independent agents provide; it simply modernizes the administration of paperwork. In fact, the time saved managing paperwork will be more time agents can spend offering specialized expertise. Trusted advice will continue to play an important role in the industry.

Myth #3   Consumers aren’t ready

This is simply not true. We track client preferences for e-signature automation across many mediated and unmediated channels. Mediated is when the client’s transaction is guided by a representative, offering the option for e-signature at the time of signing. Unmediated is when the consumer is online, in a self-serve situation.

In unmediated transactions, where e-signatures are offered 100% of the time, rather than being offered at the discretion of a sales agent, it is common to see adoption rates of more than 95% for e-signatures. Consumers are indeed ready and opting for the convenience and immediacy that e-signatures provide.

Myth #4   Digital signatures are risky

The fact is, electronic signatures are more secure than wet signatures. The identity of the signer – and the intent to sign – can both be authenticated and upheld in a court of law. Digitized audit trails of e-signing mean you not only get a log of document-level activity during the signing process, but everything the signer experiences during the signing ceremony can be captured, accessed and replayed as proof of signing.

Doing Digital Right

Independent agents who embrace digital upgrades to their processes will realize five key benefits:

  1. Improved customer experience: personalized yet modern nets better customer retention.
  2. Automated, expedited business process: requires less time to execute necessary paperwork.
  3. Efficiency: less time managing paperwork and fixing errors.
  4. Cost savings, by eliminating paper and having more time to spend with clients.
  5. Fewer errors, leading to less errors and omissions risk.

One of the most important benefits of modernizing business systems is the ability to attract clients. As generations shift, underinsured Millennials will open market opportunities. Progressive, independent agents will be viewed as service providers who have kept current with the times – yet still offer industry expertise with personalized attention.

“All business models must now rely heavily on digital tools; it’s what consumers want. What’s so exciting, however, is that consumers also hunger for a trusted adviser relationship with their insurance agent. Independent agents who marry the two will be big winners in the years ahead. That’s an opportunity direct writers can’t fully execute,” says Ron Berg, executive director, Agents Council for Technology.

How to Start Managing Cyber Risk

Hardly a day goes by without a news flash about another cyber breach. Since security breaches have become a daily occurrence, I sat down with Jeremy Henley at ID Experts to discuss the most common ways that companies are being breached and how companies can start to assess their cyber risk profile.

Question: Jeremy, what are the most common ways that you are seeing small to mid-size companies being breached?

Answer: One of the common ways that companies are being breached by hackers is that the hackers exploit vulnerabilities in the company’s security network. This includes the company’s failure to update software or upgrade their systems, as well as the failure to have the appropriate checks and balances in place. Small to mid-sized businesses are particularly vulnerable as they often don’t have the IT staff or budget to continually upgrade and update their systems as their organizations change and grow.

The second most common way companies are breached is through simple employee negligence. This would include a company’s failure to train and educate their employees on basic cyber security. For example, the failure to educate employees on the risks of downloading private data onto a portable device that is not encrypted as well as the failure to educate employees as to how to identify scams that ask them to open suspect emails or attachments. Companies need to educate their employees about the dangers of connecting to unsecured Wi-Fi connections at the airport or Starbucks when they are doing work that includes logging in to sensitive company systems. If someone is spoofing the airport Wi-Fi, you are essentially sharing everything you are doing online with that attacker.

Question: Once clients realize the security risks they face in today’s world, clients often ask where they should start with respect to updating their network security. Do you have any guidance for them?

Answer: I advise our clients to start by asking themselves three questions: 1) What data are we collecting? This is important as it will help them determine what regulations they may need to comply with (HIPAA /HITECH, PCI and 47 state breach notification laws, etc.), 2) How are they managing the data that they have? This includes examining what technology the company is using, if it is creating multiple layers to its security with firewalls and antivirus and if it is creating policies and procedures and training employees as to security safeguards and 3) I would ask the company to examine who they are sharing the data with. Specifically, which vendors or clients have access to its systems, and ask those vendors what security and privacy policies they have in place (if any)? You might consider requiring your vendors to provide proof of a security audit or insurance in the event they are the cause of a breach of info that you were trusted with.

Question: What role does cyber insurance play with your clients?

Answer: Cyber insurance has been invaluable to many of our clients, as most cyber policies include pre-breach education tools and employee training information as well as sample security policies or an incident response plan. Some carriers also work with us to provide risk assessment and penetration testing so that weaknesses can be identified and corrected prior to a breach incident. In my experience, the most valuable part that insurance plays is that the insured is able to fund an appropriate response in the wake of a breach. Clients that do not have cyber insurance usually do not have a budget set aside to deal with this unfortunate event, and after a breach do not have the funding to adequately fund the most appropriate response, therefore limiting their ability to respond to the significant reputational, financial and legal ramifications that such an incident can cause to their organization.

How to Evaluate the External Auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them — especially chief audit executives (CAEs), CFOs and general counsel.

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each) and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of audit firms to detect serious issues (fortunately few, but still too many – the latest being the FIFA scandal) and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I said there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the corporate controller and the entire financial reporting team. I said that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the treasurer and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this situation. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO, whose policy it had been not to hire CPAs) to have the issue addressed promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why; whether he agreed with my assessment of the issue; why the firm had not identified this as a material weakness or significant deficiency in prior years; or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

How to Extend ERM to IT Security

What is SERMP? An idea born out of the necessity when I needed a way to help my colleagues in the information technology security field explain to others in the organization the level of risk they faced and the progress being made in managing it.

IT security and ERM frameworks are numerous and readily available, but I wanted a way to bring the two together. After many editions and revisions, the Security Enterprise Risk Management Program, or SERMP, was born. The SERMP is a customized framework that creates a repeatable process that can be executed by non-IT professionals. Working with others in your organization, you form a team, develop a vision and scope and populate your customized framework tool overtime.

As an ERM practitioner, you don’t need to be an IT expert to be well-suited to implement a SERMP. You know how to identify and articulate risk, quantify or qualify the degree of risk and identify appropriate mitigations that can reduce uncertainty and create greater opportunity. In short, you are taking knowledge and skills that you use every day and applying them to a different environment.

SERMP is initiated to establish a model to assess, track and monitor all security risks and initiatives empirically and allows the organization to be confident that it is focused on the right things at the right time, and align new security risks and initiatives with the proper emphasis and investment. At its core, the SERMP is an enterprise risk management (ERM) model but expands upon the ERM model by incorporating a holistic framework approach, with strict emphasis on empirical support statements. This allows leadership to have very specific and targeted discussions regarding risk and impact with defensible data to support key decisions.

So, where do you start? Playing off the idea of crowdsourcing, you build your team based on the following characteristics:

#1 Willingness…

Okay, there are really no other characteristics needed. Because the SERMP framework breaks down IT security into components at a level that limits scope, and because it is repeatable, allowing for brief bursts of time commitment, the knowledge required to execute each segment is also reduced. If someone is willing to join the team and give of their time and has a desire to learn about IT security, they can contribute — even better if they have some impact on IT security.

Many people have or should have an impact on IT security, but until engaged in SERMP may not even realize that they do.

Examples:

Facilities: physical security
Human Resources: access control and training
Communications: awareness and messaging
Risk Management: risk frameworks and cyber insurance
Procurement: contracts and vendor management
Project Managers: process documentation
Audit: frameworks and assurance
Compliance: governance and policy

It is highly recommended to have at least one IT security member on the SERMP team, but it is not required. The IT security staff (internal or external) will need to provide time to meet with SERMP team members, but they do not have to be working members of SERMP.

Anyone else willing to volunteer?

How much time is this going to take?

SERMP is about gathering and analyzing information over time. You can move quickly or slowly and expand or contract your scope as your resources allow, given the complexity of the IT structure and the organization’s environment. I recommend doing small bursts of effort but on a regular basis:

  • Initial introductory meeting to explain the concept (30 – 60 minutes)
  • Planning meeting to develop a charter that includes vision and scope (1 – 2 hours)
  • 30-minute meetings every two weeks with the SERMP team to discuss progress
  • Quarterly report out to leadership and appropriate committees, i.e. risk or audit committee (30 minutes)
  • Team-member monthly time commitment: five hours per team member to gather information, populate the framework and attend the 30-minute meetings

The above does not account for the time that you as the leader of the project will spend in oversight and administration, but because you control the pace and scope you can work the program into your schedule as time and resources permit.

Establishing a charter or similar document is helpful in having “recruiting” discussions for your SERMP team.

Example charter:

The Security Risk Management Program (SERMP) is initiated to establish a model to assess, track and monitor all security risks and initiatives empirically, and allows the organization to be confident that it is focused on the right things at the right time, and can add and align new security risks and initiatives with the proper emphasis and investment.

SERMP is a continuing program, but the major phases are:

  • Establish Approach
  • Enterprise Current State Assessment
  • Risk Initiative Planning and Prioritization
  • Risk and Initiative Progress: Quarterly reporting
  • Annual Review

What are the challenges and issues we are trying to solve?

Security controls and investments were implemented without a measurable understanding of effectiveness or appropriateness. Have we invested our security dollars in the right places? Without a structured framework, we are guessing at worst, and at best have a siloed understanding of the security posture picture.

What are the goals of the program?

Establish a repeatable framework to:

  • Confidently understand our current security posture
  • Identify our key security risks and priorities
  • Determine security remediation strategy
  • Align remediation initiatives with strategy
  • Establish empirical key risk indicators (KRIs) and key performance indicators (KPIs)

The complexity of security is organized into 12 separate domains (grounded in ISO 27000 but customized for the organization). Each domain has a lead, who is responsible for understanding the holistic posture of its scope, measure across the entire enterprise.

 

chart

 

For each domain, there will be a strategy:

Domain Details Description
Vision Value & Scope Scope & Definition
Policy Mapping Controls, Standards
Risk Assumptions Observations & Metrics
Metrics Baseline, KRI, KPI
Initiatives & Roadmap Initiatives, plan, 3 yr roadmap
Programs & Services What is in place
Partners Up & Downstream

 

A reporting tool is used to track the SERMP, which houses the information for each domain, plus how the organization is managing the program: Establish, Assess, Treatment, Monitor, Review activities and Metric tracking for Risk Statement, Risk Impact, Key Risk Indicators(KRIs), Risk Remediation Initiatives, Current State (KPI), Target State (KRI) and Projects.

The reporting tool is used not only as a repository for information gathering but provides the team with a framework that breaks down the elements to be gathered and analyzed into manageable components. In the above charter, ISO 27000 is referenced, but other or multiple standards may be used.

The Best of Claims, the Worst of Claims

It was the best of claims; it was the worst of claims… the age of wisdom, the age of foolishness… belief vs. incredulity… hope vs. despair… etc., etc. The iconic opening paragraph from Charles Dickens’ A Tale of Two Cities makes one realize such conflicts do exist in the same space and time, albeit through different personal perspectives. Such is the reality in workers’ comp claims, where the single biggest factor in outcome is often the claimant’s attitude.

A client claim-audit project offers a jarring comparison between two claim files from different parts of the country. The claims exemplify how little control we actually have over an employee’s attitude in the disability management process, and show how vastly different the human tolls can be.

Both claims were in excess of 10 years old. Both involved exaggerated and evolving symptoms with eventual narcotic prescriptions for “pain management.” At approximately the same time, however, each took a different path.

One claimant found her own reasons and will-power to end the years she spent on prescribed pain-killers. She entered a drug treatment process on her own, eventually stopped her prescriptions and found a full-time job. The other claimant dove deeper into narcotic addiction and exhibited classic drug seeking behavior – such as “losing” his prescriptions and requiring early refills. He tested positive for other illegal drugs once his rightfully suspicious physician initiated a monitoring program.

There was no appreciably different set of claim management tools or tactics used for the claims – the stark difference in outcome came down to the want of the individual… an almost impossible aspect for the day-to-day claim practitioner or human-resources manager to reach or control. And, at the time of my audit, the claims were equally easy to close.

The woman free of prescriptions and carrying a full-time job was simply no longer a claimant. She was probably very happy to have her case closed and the dark chapter of her life over. We decided on an administrative closure of the claim.

On the other hand, the gentleman was barred from his erstwhile treating physician and pain management clinic for abusing meds and refusing a drug treatment program. A host of independent medical opinions indicated the man did not require further meds for the old injury. His everyday behavior was highly unfocused and erratic, apparently causing no attorney to take his WC case. He lived out of a tent in a relative’s backyard.

The man’s claim was also an easy administrative closure because of lack of any foreseeable prosecution. I have to admit his situation nicked at my coat of cynicism, the one layered thick from years in this profession. I hated the plain fact that he was a doomed victim of a WC system enabling his addictive conditions.

To my good readers, I ask: Which closure would you rather preside over?

Quick-Tip: Know When to Hold ‘Em But Don’t Wait to Fold ‘Em

Concept:

When reasonable medical treatment has no impact, quickly consider other options. A claimant with misguided intentions or extraneous problems and no desire to be “cured” might just be his own worst enemy and using the WC claim as a primary enabler.

Suggestions:

– Find appropriate ways to incorporate employee assistance programs (EAPs) or other specialty counseling services to support employees or WC claimants who have debilitating outlooks or possible addiction issues.

– Maintain a “no-fill” position on narcotic prescriptions. This will give you and your defense team at least an opportunity to block dangerous drugs before they are automatically initiated.

– Consider any “chronic pain” diagnosis to indicate maximum medical improvement (MMI). “Chronic” as a term arguably fits MMI. Try to settle the case under that premise. Fight the diagnosis and treatment plan, as a means to pressure settlement. If the plaintiff’s side argues against an MMI determination, then demand a treatment outlook and timeline that results in stopping pain medication.

– For claims with long-term narcotic situations, seek peer reviews to ascertain if the regimes are excessive and if a recommendation for detoxification is appropriate. Specifically set up medical evaluations to confirm addiction and substance abuse tendencies.

– Never presume a claimant with the wrong attitude and bleak outlook will be cured by any type of treatment. Know when you are wasting time and money. You must sense and act on this early. Don’t rely on adjusters to raise questions, as their inclination is to keep treating as long as medical opinion approves. You must take the role of disruptor.

Bottom line” It is distressing that workers’ comp enables addiction. Closing such cases is not always pretty. Learn from the disasters and take more responsibility in the future. Recognize that claimant attitude and outlook are of primary importance, for good or for bad.