Tag Archives: solvency ii

What Should Future of Regulation Be?

It is of course much easier to look back and second-guess regulatory actions. It is far more difficult to propose a way forward and to do so in light of the emerging hot-button issues, including data and the digitization of the industry, insurtech (and regtech), emerging and growing risks, cyber, the Internet of Things (IoT), natural catastrophes, longevity and growing protectionism. The way forward requires consideration of the primary goals of insurance regulation and raises critical questions regarding how regulators prioritize their work and how they interact with one another, with the global industry and with consumers.

We offer below some thoughts and suggestions on these important questions and on how regulation might best move forward over the next 10 years.

Establish a reasonable construct for regulatory relationships.

Relationships matter, and it is imperative for there to be careful consideration of how regulators organize their interactions and reliance on each other. We have some examples in the form of the Solvency II equivalence assessment process, the NAIC’s Qualified Jurisdiction assessment process (under the U.S. credit for reinsurance laws), the NAIC’s accreditation process for the states of the U.S., the U.S.-E.U. Covered Agreement, ComFrame, the IAIS and NAIC’s memorandum of ynderstanding and the IMF financial sector assessment program (FSAP). Each of these provide varying degrees of assessment and regulatory cooperation/reliance.

These processes and protocols, however, have largely emerged on an ad hoc, unilateral basis and in some cases have had a whiff of imperial judgment about them that may not be justified – and certainly is off-putting to counterparties. We would urge regulators to give careful consideration to the goals, guiding principles and the process for achieving greater levels of cooperation and reliance among global regulators.

We hope these efforts would include an appreciation that different approaches/systems can achieve similar results that no jurisdiction has a monopoly on good solvency regulation. There must also be respect for and recognition of local laws and a recognition that regulatory cooperation and accommodation will benefit regulators, the industry and consumers. Most importantly, regulators need to work together to develop confidence and trust in one another.

The IAIS first coined the phrase “supervisory recognition” in 2009. In March of that year, the IAIS released an “issues paper on group-wide solvency assessment and supervision.” That paper stated that:

“To the extent there is not convergence of supervisory standards and practices, supervisors can pursue processes of ‘supervisory recognition’ in an effort to enhance the effectiveness and efficiency of supervision. Supervisory recognition refers to supervisors choosing to recognize and rely on the work of other supervisors, based on an assessment of the counterpart jurisdiction’s regulatory regime.”

See also: Global Trend Map No. 14: Regulation  

The paper noted the tremendous benefits that can flow from choosing such a path:

“An effective system of supervisory recognition could reduce duplication of effort by the supervisors involved, thereby reducing compliance costs for the insurance industry and enhancing market efficiency. It would also facilitate information sharing and cooperation among those supervisors.”

This is powerful. We urge global insurance regulators to take a step back and consider how they can enhance regulatory effectiveness and efficiency by taking reasonable and prudential steps to recognize effective regulatory regimens − even where these systems are based on different (perhaps significantly different) rules and principles, but which have a demonstrated track record of effectiveness.

As noted above, we have seen some efforts at supervisory recognition. These include Solvency II’s equivalence assessment process, the NAIC’s accreditation process for other U.S. states, the NAIC “Qualified Jurisdictions” provisions for identifying jurisdictions that U.S. regulators will rely on for purposes of lowering collateral requirements on foreign reinsurers, the E.U.-U.S. Covered Agreement and the IAIS’s Memorandum on Mutual Understanding. Some of these processes are more prescriptive than others and have the danger of demanding that regulatory standards be virtually identical to be recognized. This should be avoided.

One size for all is not the way to go.

The alternative approach to recognition of different, but equally effective systems is the pursuit of a harmonized, single set of regulatory standards for global insurers. This approach is much in vogue among some regulators, who assert the “need for a common language” or for “a level playing field” or to avoid “regulatory arbitrage.” Some regulators also argue that common standards will lead to regulatory nirvana, where one set of rules will apply to all global insurers, which will then be able to trade seamlessly throughout all markets.

There are, however, a variety of solvency and capital systems that have proven their effectiveness. These systems are not identical, and indeed they have some profoundly different regulatory structures, accounting rules and other standards such as the systems deployed in the E.U. (even pre-Solvency II), the U.S., Canada, Japan, Bermuda, Australia, Switzerland and others. Attempting to assert a signal system or standard ignores commercial, regulatory, legal, cultural and political realities.

Moreover, we question some of the rationale for pursuing uniform standards, including the need for a common language. We suggest that what is really needed is for regulators to continue to work together, to discuss their respective regulatory regimes and to develop a deep, sophisticated knowledge of how their regimes work. From this, trust will develop, and from that a more effective and efficient system of regulation is possible. The engagement and trust building can happen within supervisory colleges. We have seen it emerge in the context of the E.U.-U.S. regulatory dialogue. We saw it in the context of the E.U.-U.S. Covered Agreement. No one, however, has made a compelling case for why one regulatory language is necessary to establish a close, effective working relationship among regulators.

Similarly, the call for a level playing field sounds good, but it is an amorphous, ambiguous term that is rarely, if ever, defined. Does the “playing field” include just regulatory capital requirements? If so, how about tax, employment rules, social charges? How about 50 subnational regulators versus one national regulator? Guarantee funds? Seeking a level playing field can also be code for, “My system of regulation is heavier, more expensive than yours, so I need to put a regulatory thumb on the scales to make sure you have equally burdensome regulations.” This argument was made for decades in the debate surrounding the U.S. reinsurance collateral rules. We hear it now regarding the burdens of Solvency II. It must be asked, however, whether it is the responsibility of prudential regulators to be leveling playing fields, or should their focus be solely on prudent regulatory standards for their markets.

Finally, the dark specter of regulatory arbitrage is often asserted as a reason to pursue a single regulatory standard, such as the development of the ICS by the IAIS. But one must ask if there is really a danger of regulatory arbitrage today among global, internationally active insures? Yes, a vigilant eye needs to kept for a weak link in the regulatory system, something the IMF FSAP system has sought to do, supervisory colleges can do and the IAIS is well-equipped to do. But using regulatory arbitrage as an argument to drive the establishment of the same standards for all insurers does not seem compelling.

Proportionality is required.

Often, regulators roll out new regulatory initiatives with the phrase that the new rules will be “proportionate” to the targeted insurers. Too often, it seems there is just lip service to this principle. Rarely is it defined – but it is tossed out in an attempt to say, “Do not worry, the new rules will not be excessive.” Greater debate and greater commitment to this principle is needed. Clearly a key component of it must be a careful cost/benefit analysis of any proposed new standard, with a clear articulation of the perceived danger to be addressed – including the likelihoods and severity of impact and then a credible calculation of the attendant costs – economic and otherwise to industry and to regulators. In October 2017, the U.K. Treasury Select Committee published a report criticizing the PRA for its excessively strict interpretation of Solvency II and its negative effect on the competitiveness of U.K. insurers. The report concluded that the PRA had enhanced policyholder protection at the expense of increasing the cost of capital for U.K. insurers, which hurt their ability to provide long-term investments and annuities. Although the PRA emphasized its mandate of prudential regulation and policy holder protection, the Treasury Committee reiterated its concern with how the PRA interpreted the principle of proportionality.

Simplicity rather than complexity.

Over the past 10 years, there has been a staggering increase in proposed and enacted regulatory requirements, many of which are catalogued above. There is a danger, however, that increasingly complex regulatory tools can create their own regulatory blind spots and that overly complex regulations can create a regulatory “fog of war.”

Andrew Haldane, executive director at the Bank of England, in August 2012 delivered a paper at a Federal Reserve Bank of Kansas City’s economic policy symposium, titled “The Dog and the Frisbee.” He graphically laid out when less is really more by talking about two ways of catching a Frisbee: One can “weigh a complex array of physical and atmospheric factors, among them wind speed and Frisbee rotation” − or one can simply catch the Frisbee, the way a dog does. Complex rules, Haldane said, may cause people to manage to the rules for fear of falling in conflict with them. The complexity of the rules may induce people to act defensively and focus on the small print at the expense of the bigger picture.

Focusing on the complexity of the banking world, Haldane compared the 20 pages of the Glass-Steagall Act to the 848 pages of Dodd-Frank together with its 30,000 pages of rulemaking, and compared the 18 pages of Basel 1 to the more than 1,000 pages of Basel III. The fundamental question is whether that additional detail and complexity really adds greater safety to the financial system or has just the opposite effect and significantly increases the cost. Haldane’s analysis provides compelling evidence that increasing the complexity of financial regulation is a recipe for continuing crisis. Accordingly, Haldane calls for a different direction for supervisors with “…fewer (perhaps far fewer), and more (ideally much more) experienced supervisors, operating to a smaller, less detailed rule book.”

Although Haldane’s analysis and discussion focuses on the banking system, his assessment and recommendations should be considered carefully by global insurance regulators. The sheer volume and complexity of rules, models and reports that flood into regulatory bodies raise the real question of who reviews this information, who really understands it and, worst of all, does a mountain of detailed information create a false confidence that regulators have good visibility into the risks – particular the emerging risks – that insurers are facing? A real danger exists of not seeing the forest for the trees.

See also: To Predict the Future, Try Creating It  

Regulation should promote competitiveness rather than protectionism.

At a time when competition has been growing not only from within the established companies but also more importantly from outside the traditional companies, protectionism will only inhibit growth and stifle better understanding of risk in a rapidly changing business environment. The goal must be to make the industry more competitive and to encourage transfer of innovation and create better ways to address risk, distribution of products and climate changes. Protectionism will only limit the potential of growth of the industry and is both short-sighted and self-defeating.

Recognition of the importance of positive disruption through insurtech, fintech and innovation.

The consensus is that the insurance industry is ripe for disruption because it has been slow (but is now working hard) to modernize in view of an array of innovative and technological advancements. Equally, regulators are trying to catch up with the rapid changes and are trying to understand the impacts through sandbox experiments and running separate regulatory models. The pace is fast and presents challenges for the regulators. Solvency and policyholder protection remain paramount, but cybersecurity, data protection, artificial intelligence and the digital revolution make advancements every day. Where this will lead is not clear. But changes are happening and regulators must work to understand the impact and need to calibrate regulatory rules to keep up with the industry and encourage innovation.

Regulation must be transparent.

Too often, regulation is drafted in times of crisis or behind closed doors by regulators believing they know better how to protect policy holders and how to prevent abuse of the system. As we have said, getting it right matters. A strong and healthy industry is the best way to protect consumers and policy holders. Industry engagement is essential and acknowledging and actually incorporating industry’s views is critical. This is particularly true given the dramatic changes in the insurance sector and the need to adopt regulation to new economics, business practices and consumer needs and expectations

This is an excerpt from a report, the full text of which is available here.

Possibilities for Non-Traditional M&A

2015 was a record year for announced insurance deals, as long-anticipated industry consolidation finally started to occur. Several factors have driven consolidation, notably slow economic growth and persistently low interest rates, both of which have limited opportunities for organic growth and forced insurers to reconsider their long-term competitive strategies. Combined with record levels of corporate capital and private equity funding, these pressures have created the perfect opportunity for both buyers and sellers.

Historically, regulatory or financial pressures have driven insurance carve-outs. [An insurance carve-out is a transaction in which a seller divests part of its business (e.g., a particular customer group, product line or geographic area) rather than an acquirer buying the entire enterprise. The seller typically benefits from exiting sub-scale or unprofitable lines, while the acquirer is able to increase scale or geographic reach.] These pressures typically have included repayment of emergency funding received during the financial crisis, fulfillment of regulatory conditions for receiving state aid, divestment to free up capital and improve solvency ratios in preparation for Solvency II, or the shoring up of capital via asset sales following losses.

In recent years, we have seen the industry move away from complex multi-line business models. Insurers are exiting sub-scale business lines to improve returns and compete in an environment in which technology is disrupting tradition business drivers. There are many insurers considering carve-out transactions or IPOs as sellers, and there are even more looking to build market share by acquiring and consolidating businesses with their existing operations.

See also: Insurance M&A Stays Active in 2016  

However, insurance carve-outs tend to be more complex in both transaction structure and post-merger integration than an acquisition of an entire insurance enterprise, and require careful planning and execution to successfully separate the acquired business (“SpinCo”) from its former parent (“RemainCo”).

What should executives be aware of when they consider these types of transactions?

  • Planning and Organization
    • Confidentiality, maintaining optionality and speed of execution are critical to maximizing deal value.
    • The flexibility to execute deals via alternative structures (described below) helps maintain optionality. In addition, a thorough understanding of the M&A landscape is necessary for sellers to run a competitive sales process and for buyers to understand how to properly position themselves for success.
    • To facilitate speed of execution, executives need to simultaneously focus on multiple priorities, including deal execution, separation planning and negotiation of transitional service agreements (TSAs). Leading practices include having a transaction committee that can rapidly make decisions and a project office that guides the planning effort.
  • Transaction Structures
    • Acquisitions of an entire insurance enterprise typically involve the purchase of all of a holding company’s issued stock. The holding company, its subsidiary legal entities, assets and liabilities, products and licenses, people, technology and infrastructure transfer to the control of the acquirer at close. A carve-out requires a different approach. It is rare that the business being sold is fully contained within a single subsidiary legal entity. More frequently, the business being disposed of is written across numerous legal entities and is mingled with business that is core to, and remains with, the vendor. Therefore, carve-outs typically use a mix of strategies to separate the insurance business of SpinCo from RemainCo:
    • Renewal rights – The acquirer receives an option or obligation to renew the acquired business in its own legal entities.
    • Reinsurance – Renewal rights may be accompanied by reinsurance transferring the economics of the historical book either to the acquirer, to other entities owned by the vendor or to a third party.
    • Fronting – Certain domiciles, such as Japan and the U.S., require regulatory authorization of products or rates prior to their availability to policyholders, and such product approval frequently takes longer than regulatory approval for a change of control. When an acquirer doesn’t have regulatory approval to immediately write the business in its own legal entities, the transaction structure typically allows an acquirer to:
      • Continue to issue and renew policies using the vendor’s legal entities for a defined period of time, and
      • Assume the economics of the business via reinsurance. The acquirer frequently is responsible for administering the business (which is still the legal and regulatory responsibility of the vendor’s legal entities) via a servicing agreement.
    • Stock transactions – These are used when assets and liabilities can be segregated into legal entities (e.g. using the European Economic Area’s (EEA) insurance business transfer mechanisms), or when a legal entity, such as a specialist underwriting agency, specifically supports the business being sold.
      • Transfer of assets and contracts/TSAs – Just as the insurance business being sold may be diffused across the vendor’s legal entities, the same may also apply to the people, facilities, technology and contracts with sellers that support the business. While a certain portion of these will clearly align either to SpinCo (and will transfer at close) or RemainCo, there will be a significant subset (particularly in IT and corporate services) that support both and are not easily divisible. For such functions where SpinCo is heavily reliant on the resources of its former parent and it is not possible for the acquirer to fully replace such services prior to the transaction closing, a TSA provides the acquirer and SpinCo with continuing access to and support from RemainCo’s resources after close.

Negotiating the TSA

TSAs provide access to the resources and infrastructure of the former parent for a defined period. While in certain simpler transactions, TSAs can be for as little as three months and require only that the support provided previously be maintained at the same service levels and at the same cost basis, it is more common that acquirer and vendor during the months prior to close:

  • Understand and define the reliance of the business being sold on its parent (and vice versa);
  • Set the duration post-close for each service required under the TSA;
  • Agree on the charging basis e.g. fixed monthly fee, usage, hourly rates (for tax efficiency, each service is usually priced individually);
  • Establish service levels and post-close governance processes.

The acquirer should set realistic timeframes for exiting from individual services. The complexity of insurance policy administration systems, the frequent integration of certain capabilities (such as billing, commissions, and contact centers) across products and the need to separate networks, migrate data centers and implement replacement mainframes frequently require TSAs of 24 to 36 months.

TSAs also may cover centrally provided non-IT services, including HR/payroll/benefits administration, facilities management, procurement, compliance or financial and management and regulatory reporting. However, the duration of these TSAs tend to be shorter – usually a few months, or sufficient to support regulatory and financial reporting for the period following close.

Ideally, the acquirer should seek as much flexibility as possible with the duration of the TSA. It should have the right to terminate the TSA early, the option to extend it at pre-agreed rates and the inclusion of force majeure clauses (a natural catastrophe can significantly affect exiting from a TSA).

Contract assignment and access to shared reinsurance

An area of often-underestimated complexity in carve-outs is the need to ensure that the separated business can continue to receive the benefit of third-party contracts with suppliers, distributors and reinsurers. In most jurisdictions, contracts cannot simply be novated (the insurance business transfer mechanisms of the EEA provide certain exceptions), but instead each contract must be evaluated to determine if assignment simply requires notification to the counterparty or its express consent.

The challenges that arise in contract transfer are both:

  • Logistical – 85% of counterparties contacted typically respond at first instance. However, a recent carve-out had more than 50,000 contracts that needed to be assessed, prioritized and migrated. In this instance, chasing down the remaining 15% was a real challenge.
  • Commercial – Certain experienced counterparties, knowing the tight timeframe for most transactions, may try to renegotiate better terms either prior to the contract being assigned to the acquirer, or prior to permitting the vendor to use the contract to provide services under the TSA.

Also important in a carve-out is a clear apportionment of access to historic reinsurance programs shared between the vendor’s continuing business and the business being sold, as well as definition of the resolution process for any post-close disputes.

Executing close

Transaction close for virtually all insurance carve-outs is triggered by the receipt of one or more regulatory consents enabling the execution of fronting, reinsurance and stock transfer agreements.

When migrating staff and assets supporting SpinCo to the acquirer, supporting staff and assets are moved into a legal entity, the ownership of which transfers at close in certain cases. However, when the relevant staff are not employed or supporting assets are not owned by legal entities transferring to the acquirer at close, there will need to be arrangements for the valuation and transfer of both tangible and intangible assets (e.g. trademarks) and the offering of employment and enrollment in benefits to selected staff by the acquirer. This is a significant logistical exercise for an HR function.

See also: Group Insurance: On the Path to Maturity  

Insurance carve-outs are also particularly challenging for finance functions:

  • The combination of renewal, reinsurance and legal entity acquisition in the transaction structure complicates accounting immediately post-close.
  • Cross-border acquisitions can include acquirers and sellers with different accounting standards (e.g. IFRS, U.S. GAAP, statutory and JGAAP) that often have very different rules on the treatment of assets and liabilities.
  • The practice of closing at a month or quarter end – which in some ways can simplify the transition – may also introduce a tight and immovable timeframe for external financial and regulatory reporting.

Lastly, although there typically will be several months between the deal being agreed upon and the close, this may not be sufficient time – particularly in larger acquisitions across multiple locations – to roll out the acquirer’s networks and desktop technology prior to close. Therefore, full access to the acquirer’s IT capabilities may need to wait until later in the integration.

Post carve-out integration

While an acquisition of an entire enterprise provides a pre-existing governance structure, an insurance carve-out typically includes fewer members of senior management and requires rapid integration of functional management within the acquirer’s existing structure, the expansion of governance and compliance structures to include the acquired operations and the establishment and communication of delegations of authority and decision-making rights.

Due diligence should have provided the acquirer with initial hypotheses as to the organizational capabilities required by the combined organization, interim and end-state operating models, and opportunities for synergies.

As with any insurance acquisition, synergies in carve outs are typically realized through:

  • Functional consolidation.
  • Platform consolidation and process standardization, which enhances productivity and enables staffing efficiencies.
  • Facilities and infrastructure reduction, and
  • Reduced costs through more efficient third-party vendor selection.

PwC’s research indicates that the most successful acquisitions are those that develop momentum by demonstrating tangible integration benefits in the first 100 days. Accordingly, the acquirer should act fast but should also be prepared to revisit pre-deal assumptions and revise its integration roadmap as the two organizations integrate and new information becomes available.

Conclusion

Based on what we see in the market, notably a recent succession of P&C and reinsurance megadeals, we predict that insurance industry consolidation will continue apace. Multi-line insurers have divested themselves of numerous franchises and this trend seems likely to continue. Because these types of transactions are complex and depend on many internal and external factors, companies that are considering such moves will need to be aware of and address the many challenges and issues we describe above.

This article was written by John Marra, Mark Shepherd, Michael Mariani, and Tucker Matheson.

Global Insurance CRO Survey 2016

Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided chief risk officers (CROs) with a seat at the table in the highest levels of the organization.

2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.

The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes — and use them to achieve greater effectiveness.

See also: The Myth About Contractors and Risk  

This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:

1. There has been a high degree of operationalization in prudential regulation around the globe:

  • In Europe, in response to Solvency II demands
  • In the U.S., as a consequence of the NAIC’s ORSA requirement and for the larger insurers, SIFI demands from the Federal Reserve Board
  • In Asia-Pacific, with the implementation of risk-based capital regimes (e.g. C-ROSS in China, LAGIC in Australia, ORSA requirements in Singapore and ICAAP in Malaysia)

2. We are seeing a sharper focus on consumer-conduct regulation:

  • The U.S. Department of Labor is shaking up focus on the advice model.
  • The European Parliament is debating significant advances in policyholder communications, and various European home regulators are demanding redress for past failings in sales process, transparency of charges and continuing product suitability.
  • Depending on the region, it is more or less common for CROs to have compliance report through to them.

3. Governance models are now largely converging to reflect the three lines of defense principles.

Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.

4. Risk functions are becoming more involved in producing and monitoring risk metrics.

Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.

Beyond Europe, other jurisdictions have a variety of approaches. For example, U.S. insurers subject to Federal Reserve regulation are required to use more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).

See also: Minority-Contracting Compliance — Three Risks  

In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.

5. CROs are aware of the potential for improvement in operational risk management.

While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.

Download the full North American report here.

Download the full EMEIA report here.

Solvency II: Still Missing Buy-in

The first QRT and the Opening information (“Day 1 Reporting”) have been filed. The insurers are “on track” with Solvency II … at least from a pure regulatory compliance point of view !

However, my day-to-day observation is more likely to be a mixed picture. The new prudential framework is not yet “Business As Usual (BAU)” as the large majority of insurance organizations are pretty far away from using the framework as a risk and capital based decision framework. 

The first “real world” ORSA process has been (more or less) launched but it continues to be considered as a “reporting exercise” despite EIOPA having launched a EU-wide stress-test and a major “stress event” has occurred in June with the UK “Brexit”!

See also: The Right Way to Test for Solvency

It appears useful to have a look on a target operating model underlying Solvency II:

  • Solvency II Risk and Capital Management represents the core of the new model.
  • This model requires policies to meet the regulatory and organizational targets – these policies have been designed and approved in 2015 or early 2016 and need to be applied progressively.
  • The two ORSA preparation projects 2014 and 2015 should now become BAU and “only” need to be run as a real process translating the ORSA policy designed in 2015 or early 2016.
  • The 2017 reporting deadline for the first SFCR needs preparation and strategic decision making on how to meet the regulatory requirements and how to communicate with the stakeholders, the analysts, the competitors and any other third party eager to understand the new transparency.
  • The AMSB (Administrative Management Supervisory Board) is ready to demonstrate that it takes decisions based on the risks and the capital based principles governing Solvency II!

See also: Solvency 2: An Outcome Very Different Than Planned  

We definitely face a sufficient number of challenges, expected and unexpected, to be eager to apply and test the new framework in BAU conditions. Let’s take the time, or, if necessary, the break to really make it happen. This experience will be crucial to contribute to the 2018 review of the Solvency II framework by EIOPA and the NCAs.

Building a Strong Insurance Risk Culture

More than seven years after the onset of the global crisis, the financial sector continues to attract unwanted headlines, with the spotlight shifting somewhat from banks to insurers. Consequently, regulators are taking a heightened interest in organizations’ risk management and underlying cultures. In 2014, the International Association of Insurance Supervisors (IAIS) called for insurers to demonstrate “the ability to promote a sound risk and compliance culture across the group.”

The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, has also issued guidance on risk culture, stating: “Supervisors should satisfy themselves that risk cultures are based on sound, articulated values and are carefully managed by the leadership of the financial institution. Furthermore, the FSB stated: “Institutions with a strong culture of risk management and ethical business practices are less likely to experience damaging risk events and are better placed to deal with those events that do occur.”

Why risk culture matters

Risk culture can be described as the way in which decision-makers (at all levels within an insurer) consider and take risks. When risk appetite is fully agreed and understood, all employees are conscious of risk in their everyday decision-making, appreciate the trade-offs between risk and reward and consider the interests of the wider organization above their individual objectives.

However, defining risk culture and establishing a sound risk management framework is a considerable challenge. Traditionally, “risk” within insurance is seen as solely the domain of the actuary, and employees in customer-facing or product design positions may have never acknowledged there is a risk management element to their work. Consequently, many organizations fail to prevent excessive or inappropriate risk-taking, which can, in some cases, cause significant losses, penalties and negative publicity. One example is the recent U.K. payment protection scandal, where insurance companies and bancassurers have to pay billions in compensation for mis-selling of policies.

In organizations with weak or undeveloped risk cultures, responsibility for risk management is unclear, with lack of board oversight and direction, low awareness of risks among employees and deficiencies in risk monitoring, reporting and controls. The risk management function itself is typically under-resourced and under-qualified, while key individuals such as the chief risk officer (CRO), the chief financial officer (CFO) and the approved actuary often have multiple risk decision-making roles that create an excessive workload.

Perhaps more importantly, individuals are not measured or given an incentive for risk performance, and there is an over-tolerant attitude to breaches or mistakes, with those taking excessive
or inappropriate risks rarely disciplined, implying that such behavior is acceptable.

Within a branch network or telephone service center, staff may be under considerable pressure to meet targets, which can lead to sales of products that are not always a) in the customers’ best interests and b) in line with strategic goals. Incentive schemes are partly to blame; they reward salespeople primarily for goals set by their immediate managers, which may prioritize volume over quality. (These can apply both to direct sales and those made through intermediaries.)

See Also: The Key to Building Effective Risk Culture

Insurance companies’ reputations are also at daily risk from poor service quality resulting from slow, inaccurate or unfair claims handling or marketing messages that over-promise benefits (such as speed of replacement for stolen or damaged goods or availability of rental cars to replace damaged vehicles). A poorly designed online sales process can easily cause customers to self-select the wrong products.

Compliance reporting for regulations — including Solvency II and International Financial Reporting Standards (IFRS) — can also highlight weaknesses in risk management. Insurers may be unable to demonstrate that controls are in place and are being adhered to, and they fail to produce accurate reporting that paints a true picture of the business.

Consequently, regulators are raising the bar by demanding more risk-sensitive capital regimes as well as stress and scenario requirements. They are also, increasingly, requiring a clearly articulated risk appetite statement and better assessments of risk management frameworks and risk culture, as well as expecting senior executives to be rewarded directly for encouraging sensible risk-taking behavior that supports long-term corporate financial interests.

From awareness to action

Ultimately, culture is all about action — not policies or documentation. With regulators showing an increasing interest in risk culture and behavior, how can companies take a barometer of their current capabilities to make relevant improvements?

There are three important questions to address:

  1. Does the organization have appropriate structures and processes in place to define the desired culture?
  2. Are those structures and processes adequate to create the desired culture?
  3. Do structures and processes drive effective behaviors in practice?

An in-depth evaluation involves close scrutiny of risk and compliance policies, past interactions with regulators and detailed observations of staff behavior at all levels. By seeking the views of a cross-section of employees and managers, leaders can better understand employees’ attitudes toward risk management and how risk management policies, procedures and systems work in practice, highlighting any gaps.

Data analysis can reveal patterns of customer complaints, regulatory fines and requests for closer supervision and monitoring across different departments and locations. Such incidents should be monitored constantly and their root causes identified to offer a continuous indicator of cultural performance. This is a sizable investment requiring strong endorsement from leaders.

Insurance companies with strong risk cultures are likely to exhibit four key characteristics:

1. Tone at the top

The board and executive management should drive risk culture, with leaders exhibiting total consistency in words and actions, taking a visible lead in risk management activities — and being fully accountable when risk parameters are breached. By making risk a formal standing agenda item at board and management forums, the company’s leaders can demonstrate risk management’s importance to all stakeholders. They must ensure all employees are aware of the organization’s approach to risk management, reward positive behavior and act decisively when inappropriate risks are taken (if necessary through disciplinary action). It is very helpful to keep in touch with front-line activity through regular visits to branches and contact centers.

Screen Shot 2016-04-13 at 2.20.12 PM

2. Communication

Although leaders set the tone, they can’t be alone in delivering messages about the importance of risk. Senior managers of divisions and business units are also part of the communication process, which must filter down through the organization — and between departments — to the most junior people. In this way, everyone can understand the risk appetite and capacity at the individual, team, department and company level. In addition to recording sales calls, staff should engage in focus groups, surveys and one-on-one interviews to ensure they are continually aware of the risk culture and are conforming to procedures.

Rather than acting as static recipients of advice, all employees should be encouraged to share information and feel safe to challenge unacceptable behavior and to escalate issues. This calls for clear channels for whistle-blowing, implying it is acceptable to criticize the business’ activities without fear of retribution.

3. Responsiveness

In a risk-aware culture, issues are escalated and dealt with swiftly and decisively before they can become major problems, with a central point of contact for all employees for the management and treatment of risks. And, crucially, any learning from such incidents is assessed and built into future policies and behavior to avoid a recurrence. If something slips through the cracks, management should analyze why staff did not comply with protocols and re-educate people on the importance of such checks and balances — as well as stressing the need to act within the “spirit” of risk management.

4. Commitment

Risk must become second nature to all, not something that applies only to actuaries or a central risk team. High-profile cultural transformation programs often fail to achieve lasting change because they don’t focus sufficiently on individuals or explain how people should behave to be more risk-aware. To make cultural change happen, leaders must understand the day-to-day dilemmas faced by staff — such as management pressure on sales numbers — and address these issues directly. Performance management and related compensation systems are key to gaining commitment and should balance local branch/office sales targets with wider organizational goals, as well as rewarding good risk management behavior. That will deter staff from taking unnecessary risks in pursuit of short-term profit. Whether selling in person, by phone, online, directly or through intermediaries, the same principles of fairness and appropriateness must apply.

The approval process for new marketing initiatives has to be robust to ensure the business has the capability to meet any promises. Risk management also requires new skills to identify, assess and mitigate risks, which calls for tailored training and coaching.

Good for compliance, good for the business

As well as increasing the chances of remaining compliant, a strong risk culture gives the board and shareholders greater confidence in an insurer’s integrity and in its ability to meet customer expectations. Comparison websites may have made the sector more price-driven, but customers still appreciate doing business with companies that are seen to be acting in a customer’s interests, often through a company offering relevant products, attentive customer service and a swift, fair claims process.

See Also: Building a Risk Culture

Having invested in risk processes and frameworks, insurance companies must also devote resources to building a risk culture, to bringing frameworks to life and to ensuring adherence to policies. Once this has been achieved, all employees — not just actuaries — will be able to say they are risk managers.

In a strong risk culture…

  • The board and executive management drive risk culture
  • Every employee understands and embraces the organization’s risk appetite and risk management framework
  • Threats or concerns are identified and escalated swiftly, with employees comfortable (and encouraged) to raise issues
  • Individuals are clear about the risks inherent in their strategic and day-to-day decisions
  • Every employee continuously learns from the experiences of others
  • Personal and organizational interests are aligned via appropriate performance metrics; links to remuneration risk behavior is monitored regularly, with swift corrective actions taken after any breaches;  and staff are encouraged to consult with a superior when it is unclear whether a particular action is outside the organization’s risk tolerance

Questions for insurers

  • Is your board able to articulate the kind of risk culture it wants, and can it explain this clearly to all employees?
  • Does your board have a road map toward a strong risk culture, and can it demonstrate steps it is taking in this direction?
  • Are risks being identified, measured, managed and controlled in a manner consistent with the organization’s risk appetite?
  • Does your staff understand and adhere to the organization’s risk appetite — as it relates to their particular roles?
  • Do employee incentives promote long-term financial sustainability?
  • Do employees at all levels have the skills to manage risk effectively?

Reprinted from (Regulatory Challenges Facing the Insurance Industry in 2016,) Copyright: 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of a particular situation.

For additional news and information, please access KPMG’s global web site.