2 February 2016

ERM: the common theme to the new world of insurance regulation

Rick Marx, Tom Ward and Mark Watson suggest how the pursuit of enterprise risk management (ERM) can help US insurers find value in the mountain of regulations

If there is any certainty in the global insurance industry, it's that the regulatory landscape is undergoing — and will continue to undergo — significant change.

The difficult decision for insurers is where to focus their attention in what are complex and multidimensional changes. In this article, which focuses on the impacts for US insurers, we suggest that the common thread across all regulatory reforms is the strengthening of ERM and compliance governance frameworks.

In addition, there are real business benefits to be realised from more effective ERM, as has been demonstrated by the experience of those firms that have embraced change and gone beyond a "lowest common denominator" approach to compliance.

A mosaic of global reforms

In the wake of the 2007–08 financial crisis, global insurers have faced a range of varying regulatory activity, as depicted in Figure 1. In some cases, these regimes mark a fundamental shift in how the industry is regulated.

  • The US Treasury Department's Financial Stability Oversight Council has designated some insurers as systemically important financial institutions (Sifis), which will necessitate additional regulatory and supervisory requirements under the Dodd-Frank Act of 2010.
  • In Europe, Solvency II has imposed a standard for insurers in 31 countries.
  • The Financial Stability Board has identified global systemically important insurers (G-Siis) that will be subject to more intense supervision.
  • The International Association of Insurance Supervisors (IAIS) is developing requirements for internationally active insurance groups (IAIGs), with the implication that such insurers may be subject to more demanding regulation and supervision.
  • Internationally, pillar 2 of Solvency II and the Insurance Core Principles (ICPs) developed by the IAIS describe the elements to be put in place for effective risk governance and risk management.

There is growing consensus that more federal regulation and oversight is likely to come for US insurers. Further, more industry stakeholders are viewing these long-discussed regulatory reforms as "here and now" concerns that will soon be an everyday reality for many large insurers.

Figure 1. The international regulatory landscape for insurers

Enterprise risk management is a common denominator

Reform efforts have much in common, including enhanced group-level prudential regulations for higher capital reserves, mandatory stress testing, tougher supervision, enhanced risk management and greater expectations for governance. Recovery and resolution plans may also be required for many carriers.

However, in some areas, specific requirements for US insurers have yet to be fully defined or promulgated. Similarly, international policies will take several years to unfold. This puts insurers in a somewhat difficult position regarding the timing and urgency of their actions in preparation for the new regulation. Take the setting of capital reserves: waiting until regulations are more clearly defined may be beneficial as jumping ahead of regulation could prove costly, with no apparent near-term benefits for early implementation.

In the areas of risk governance and management, however, where the regulatory direction and business need are clearer, immediate-term action makes sense. Participating in field tests and writing comments on proposals will prove advantageous in engaging in the debate and building a capital-forecasting process.

"An effective risk management framework prepares insurers to focus on two bigger issues: managing capital and managing solvency"

Why do insurers need to focus on risk governance and risk management now? One reason is that it is the focus of regulators in the US and worldwide, who appear to believe that failures in these areas were the underlying cause of the financial crisis. Thus, the own risk and solvency assessment (ORSA), the ICPs from IAIS and other regulatory reforms and supervisory changes were designed to shore up insurers' risk governance and risk management frameworks.

What should insurers aim for in their ERM frameworks? As illustrated in Figure 2, effective frameworks will outline the governance and daily activities that quantify and manage risks. Further, they will provide management and the board of directors with timely, comprehensive and accurate information to make more informed decisions, ultimately helping to protect insurers, their stakeholders and their customers from future threats of insolvency.

Figure 2. Components of a risk management framework

An effective risk management framework prepares insurers to focus on two bigger issues: managing capital and managing solvency. This then allows for more informed and timely, fact-based decisions by management and boards.

Overall, enhanced risk management programmes and controls eliminate surprises and improve returns on risks taken, areas explored in more detail below. More basically, effective ERM can help minimise the severity of a future financial downturn on individual firms.

The business case for enterprise risk management

Of course, there are costs associated with complying with new rules. However, many benefits from current reforms are clear and irrefutable. More hands-on and informed supervision, if executed appropriately, is likely to strengthen the organisation. The benefits of better decision-making are even more obvious. Holistic views of risk will incorporate both financial and nonfinancial risks and balance past, current and future performance and events. These views are critical as insurers seek improved returns on risks taken.

What CROs say

Respondents to EY's recent survey of insurance chief risk officers (CROs) confirmed the powerful impact of new regulation on the industry. CROs are uniquely positioned to assess both the opportunities and challenges of compliance because they often lead the preparations and organise the broad frameworks for the cumulative and interrelated effects of different layers of regulations — which some describe as a "tsunami."

  • "It really comes down to whether risk management is about simple compliance with rules or about improving dialogue to help drive decisions."
  • "We create value by helping the organisation take 'good' risks with pricing and investments and approaching decision-making using a consistent risk management approach and thought process."
  • "There is no one regulation that presents the biggest challenge, but rather the combination of all at the same time that makes this a hugely challenging process."

Further, regulatory efforts can serve as the impetus for embedding data-driven and analytics-enabled practices into decision-making and performance management processes across the organisation, helping the organisation learn to better differentiate between good and bad risks.

Corporate boards will be better positioned to offer direct oversight, provide guidance and, when necessary, challenge company strategy, decisions or risk management practices. Improved communication patterns may also pay dividends as timely, accurate and comprehensive risk information pilots broader decision-making and effective escalation processes are implemented.

A flexible and adaptable ERM approach enables the company to be prepared for more intense regulatory scrutiny and to implement additional regulatory requirements, as needed, from around the globe.

There may also be ancillary benefits for firms that take a broad, business-centric view of the regulations. For instance, there may be cost savings for firms that seek more efficient compliance processes by investing in the automation of manual tasks and reducing duplicative efforts. Improved data quality is another high-value by-product for companies taking a best practices-based approach to addressing regulatory standards.

ORSA: a template for preparedness

Many insurers that have completed an ORSA have demonstrated that regulatory compliance and improved performance are not mutually exclusive. In this sense, the process by which firms have met ORSA requirements may be useful in the context of other regulations.

The key is to go beyond a narrow, "check-the-box" approach to compliance and seek ways to establish or strengthen the overall ERM framework. Indeed, ORSA report guidelines from the NAIC describe a solid foundation for effective risk governance and risk management, with standards-based guidelines and leading practices for ERM (see Figure 3).

Figure 3. ORSA as the foundation for an enterprise risk management framework

Those firms that have effectively implemented their ORSA have already realised the following benefits:

  • A clearly articulated strategy and risk appetite set by the board, established across the enterprise and embedded into the organisation through individual limits, tolerances and performance assessments
  • An ongoing, enterprise-wide risk assessment across all risk types, including strategic risks, emerging risks and new product risks
  • The use of a consistent set of criteria, including forward-looking risk metrics, to assess and quantify risk at a range of confidence levels, using models shaped by common risk drivers
  • A common risk language used across the organisation that reduces ambiguity and accountability issues
  • Timely, consistent and accurate reports for the board, senior management and other decision-makers that are generated from demonstrable risk control activities. The goal is to ensure these leaders truly understand future risks, as well as past risks, to the stability and solvency of the enterprise; historically, most insurers have relied too much on hindsight
  • Systems, processes and controls needed to produce timely risk and capital adequacy and solvency information
  • Links between the risk management framework and pricing, new product design, performance measurement and capital allocation, which can serve to make risk management a more proactive practice across and at multiple levels of the organisation

The strategic view of regulatory reforms: seizing the opportunity for change

A large US-based life insurer viewed increasing regulatory pressures as an opportunity to build an industry-leading risk management function. The goal was to support business units in delivering better and more profitable products to the market.

Taking a fresh look at its risk management approach in the context of day-to-day business activities, the insurer used industry benchmarks as the baseline for a new framework designed to enable the following:

  • Deeper understanding of the relationship between risk and profitability inherent in the current operating model relative to specific market segments, geographic locations, customer sets and product lines
  • Identification of emerging risks and market opportunities and better responsiveness in terms of resource allocation
  • Balancing of near-term business opportunities with long-term financial and reputational risk
  • Easier demonstration of management insight into business risk and easing of regulatory pressure

The bottom line: the insurer saw the clear and compelling business case in which improved risk management ultimately results in increased and sustainable profitability, as well as compliance.

Some insurers have yielded valuable insights related to technical pricing and value contribution as core inputs to product design from an effective ORSA framework. Others have discovered more effective metrics to identify underperforming portfolios.

Representative quotes from Increasing authority and higher organizational profiles, EY's 2015 Insurance CRO Survey.

Make it practical

Insurers in Europe that have implemented changes ahead of Solvency II or equivalent regulations are now focusing on lowering the costs of maintaining their risk frameworks. Some of these firms — including US insurers that invested in ERM improvements in response to Sarbanes-Oxley — have found their initial frameworks were unnecessarily bureaucratic.

In some cases, there was too much emphasis on the details of the governance structure, processes and policies, and not enough on the high-level governance framework and the overall soundness of risk management practices. Striking the right balance will enable insurers to enhance risk management effectiveness and keep costs down at the same time, with a framework that is appropriate to the size and complexity of their operations.

Conclusion

The pace of change in international and domestic insurance regulation is quickening. International standards are now in sight. Domestic standards are being revised and strengthened in light of international policymaking.

Nowhere is the drive for change more visible than in risk governance and risk management. That is why these areas should be the near-term focus of insurers preparing for regulatory reforms. Fighting the tide of reform or waiting until regulators finalise every last detail is not a viable approach and offers very limited, if any, value to the business. After all, there is little doubt that still more rules will be written.

Insurers that do not adopt improvements to their risk management and governance frameworks early will miss out on accruing significant benefits and will still face an uphill climb when it comes to compliance. In contrast, forward-looking insurers that have accepted that reforms are imminent have strategically prioritised their actions in key areas and — as a result — are already harvesting the value of stronger risk management frameworks.

Rick Marx is a principal, Tom Ward a partner, and Mark Watson an executive director in the Financial Services division of Ernst & Young LLP. Emails: [email protected] [email protected] [email protected]

If you want to learn more about risk policies, regulations and how to build modern ERM frameworks don't miss our Insurance ERM Conference in New York on 10 May. Click here for more info.