Enterprise Risk Management
and the Compliance Professional
Denise Tessier, Senior Regulatory Consultant
Wolters Kluwer Financial Services Denise.Tessier@wolterskluwer.com
Kelly Cruz-Brown, Shareholder
Carlton Fields Kcruz-brown@carltonfields.com
AGENDA
•
•
•
•
•
•
•
What is ERM?
The Drivers of ERM
Fundamentals of the ERM process
The Benefits of ERM for Compliance
Challenges for Compliance in ERM implementation
Recommendations/Best Practices
Q&A
Part 1 : Introduction to ERM
What is ERM?
• Enterprise Risk Management
(“ERM”) - the process of
planning, organizing, leading,
and controlling all activities of
a company in an integrated
fashion in order to minimize the
effects of risk on the company’s
capital and earnings.
• A view of the “whole world”
of risk throughout a company…
Before ERM - Silos
• “Silo approach” (no collaboration or
standardization btw business units)
• Qualitative risk assessments (lack of
other methods in use)
• Risk avoidance / reactive risk
controls (rather than proactive)
• Risks with no owners
• Limited-risk mitigation scope
• Limited regulatory scrutiny
• Risk is only seen as threats
5
With ERM – Integration
• Addresses risks in a broader way
• Better communication amongst
management and whole company
• Streamlined management of risk, with
ability to PRIORITIZE risks
• Assigns and ensures risk ownership and
accountability
• Flexible to grown and change with
company, as environment changes
• Addresses opportunities too
6
Compliance Risk: A Fundamental ERM Pillar
• Compliance risks are only part of the ERM picture, but
they are some of the most significant risks to the
company from a financial perspective, ranking high in
priority for managerial review and action.
• The challenge facing many compliance professionals
today is how best to integrate compliance risks into a
wider world of risk in a formal ERM structure.
Why ERM for Insurers?
Regulatory Drivers
• Solvency II, European
• SOX
• Dodd-Frank
• Regulators/Audits
• Banking and Securities
•
•
•
•
Business Drivers
Strategic Analysis
Rating Agencies (S&P,
AM Best, Moody’s)
Financial Auditors
Shareholders and
other stakeholders
* NAIC Risk Management and Own
Risk Solvency “RMORSA” Model Act *
8
NAIC Activity & Developments
• December 2010 NAIC adopted significant revisions to the
Insurance Holding Company System Regulatory Act
(Model 440) and the Insurance Holding Company System
Model Regulation (Model 450)
• Perceived risk to insurance companies from nonregulated entities within their holding company
structure
• Enterprise Risk defined
• Enterprise Risk Reporting Form – Form F at least
annually
9
NAIC Activity & Developments
• “Enterprise Risk” is any activity, circumstance, event or
series of events involving one or more affiliates of an
insurer that, if not remedied promptly, is likely to have
a material adverse effect upon the financial condition or
liquidity of the insurer or its insurance holding company
system as a whole, including, but not limited to,
anything that would cause the insurers Risk-Based
Capital to fall into company action level … or would
cause the insurer to be in a hazardous financial
condition.
10
NAIC Activity & Developments
• Form F Reporting Requirements
– Material developments re: strategy, internal audit
findings, compliance on risk management affecting the
insurance holding company system.
– Acquisition or disposal of insurance entities and
reallocating of existing financial or insurance entities with
the insurance holding company system.
– Shareholder changes of the insurance holding company
system exceeding 10% or more of voting securities.
– Developments in various investigations that may have a
significant bearing or impact on the insurance holding
company system.
11
NAIC Activity & Developments
• Form F Reporting Requirements
– Business plan of the insurance holding company system and
summarized strategies for the next 12 months.
– Identification of material concerns of the insurance
holding company system raised by supervisory college, if
any, in the past year.
– Indentification of insurance holding company system
capital resources and material distribution patterns.
– Indentification of any negative movement, or discussions
with rating agencies that might have caused or might
cause, potential negative movement in the credit ratings
12
NAIC Activity & Developments
• Form F Reporting Requirements
– and individual insurer financial strength ratings assessment
of the insurance holding company system (including both
the rating score and outlook.
– Information on corporate or parental guarantees
throughout the holding company
and the expected source
F2MRL4
of liquidity should such guarantees be called upon.
– Identification of any material activity or development of
the insurance holding company system that, in the opinion
of senior management, could adversely affect the
insurance holding company system.
13
The NAIC RMORSA Model Act
In this Summary Report, insurers (over $500M in
premium or groups writing over $1B) are asked to
provide detail to state regulators in three key sections:
Section 1 – Description of the Insurer's Risk
Management Framework, including, per the ORSA
Guidance Manual, descriptions of the company’s:
– Risk Culture and Governance.
– Risk Identification and Prioritization
– Risk Appetite, Tolerances and Limits
– Risk Management and Controls
– Risk Reporting and Communication
14
The NAIC RMORSA Report (cont.)
Section 2 — An Insurer's Assessment of Risk Exposures
• Describe how company assesses material and relevant
risks to its business strategy.
• Requires quantification of risks under a range of
outcomes using actuarial measurement or modeling
techniques (scenarios and stress tests) to evaluate
material risks against a “risk tolerance” or “appetite.”
– Reviewed categories can include such risks as credit,
market, liquidity, cash flow, underwriting, claim,
expense, and operational risks.
– Some risks can’t easily be quantified, such as
reputational risk, but nevertheless should be tracked
and considered as part of the analysis.
15
NAIC RMORSA
Section 3 — Group Risk Capital and Prospective
Solvency Assessment
• Documents how the company combines the qualitative
elements of its risk management policy and the
quantitative measures of risk exposure in determining
the level of financial resources (capital and surplus) it
needs to manage its business and execute its business
plans.
• Models over a longer term than previously expected by
regulators, typically 2-5 years.
16
NAIC Activity & Developments
• State adoption of NAIC Holding Co. changes required.
– Connecticut, Kentucky, Louisiana, and Rhode Island
– Florida attempted to pass bill to adopt NAIC changes, but
it did not pass.
– RMORSA Model Act Passage also in progress
• Confidentiality of Information
– State public records laws
• Exemptions
• Trade secret
17
The Compliance Function & ERM
18
ERM: A Continuous Process
Recap Benefits of ERM for Compliance
•
•
•
•
•
•
BEFORE ERM
“Siloed” approach
Weak risk assessment process
Qualitative measurements
Reactive focus on mitigation
Risks ID’d but not Owned
Risks perceived only as threats
•
•
•
•
•
•
AFTER ERM
Collaborative approach
Strong risk assessment process
Quantitative measurements
Proactive focus, “best
practices” controls
Risks Owned, monitored
Better alignment of all
business units towards
strategic company goals
As a Result…
• New perspectives on risks are obtained
• Re-evaluation/revision of staff assignments, workflows,
and attestation processes
• Priorities are more easily set
• Encourages strengthening of controls, procedures
• Opportunities for adopting “best practices”
• Increases the profile & value of Compliance
 Compliance can do a better job
21
Challenge #1: Defining the Compliance Function
• There are many ways to define what “compliance risks”
are, and how/by whom they should be managed.
• The range of risks that could be considered “compliance
risk” is very broad, varies by company. May include:
– Violation of the company’s Code of Conduct and Ethics;
– Failure to adhere to state laws regarding advertising to and
communications with policyholders;
– Non-compliance specifically with policy rate and form filing
procedures;
– Violation of “good-faith” claim handling laws and regulations; or
– Breach of internal underwriting guidelines and authorities.
22
Challenge #2: Keeping Risks/Controls Updated
• Constant need to keep abreast of changes in compliance
and regulatory risk, carried through to the ERM program.
• Over 11,000 new laws and regulations proposed, over
3,000 enacted or adopted annually.
–
–
–
–
New /emerging risks must be captured and shared
Pure number of risks makes categorization difficult
Need to re-score and re-prioritize identified risks
Controls must be flexibly designed, updated frequently
• Compliance team may best positioned to help manage
regulatory change for multiple departments….
Challenge #3: Assessing Compliance Risk
• Quantifying risk may be another special challenge for
Compliance in the ERM process.
– Compliance may not be used to evaluating risk frequency
or severity, or prioritizing compliance/risk issues
– Have to also consider departments outside of Compliance
which may be impacted by a compliance breach.
– May be limited company or industry data on certain types
of compliance losses or risks
» Resources: Laws, Regulations, NAIC, State
DOIs, News, 3rd-partyDatabases, Published
Market Conduct Exams
Challenge #4 – Developing “Best Practice” Controls
• Day-to-day “Policies and Procedures” are some of the
most important kinds of key “ERM controls.” The two
concepts are different, but should be kept as integrated.
Risks
Controls
Policies
Procedures
• Failure to keep Compliance Risk Management, Policies
and Procedures, and ERM Controls aligned and crosschecked can lead to staff confusion, duplicate or
inefficient workflows, missed regulatory changes, and
poor management of risks overall.
Example, an Underwriting Risk…
The Risk: Improper underwriting, or underwriting loss, due to a
violation of a policy limit authority
Key Controls, as listed in an ERM Control Library/Register:
• Underwriting Guidelines by line of business
• Management delegation of approval of U/W authority
• System Controls to prevent override of U/W authority, entering in
contract
Related Policies & Procedures, including protocols for:
• Ensuring U/Ws receive an Underwriting Authority Letter upon hire
(HR, U/W management responsibility)
• For Policy(contract) issuance to policyholder, and recording of
policy data in systems (U/W support or Operations, Finance, IT)
• Disclosure Committee procedures for Breach Reporting, such as
quarterly reports to Compliance/Risk/Disclosure Committee of
Breach of U/W Authorities (Compliance, Risk, Legal)
26
Integrating Compliance into ERM Efforts
• The Compliance team should be given more advance notice
of strategic issues faced by other departments. This
includes more information about new product lines, business
partners, vendors, and other initiatives.
• The more information Compliance has, and the earlier they
have it, the better Compliance staff can assess related
compliance or regulatory risks and controls, to offer
meaningful input into any decision-making process.
• Managing the compliance risk of any
new business initiative is a key
first step on the road to success.
• All departments should coordinate efforts on identifying and
sharing “emerging risks” and trends in their area of
responsibility, and create a communication loop to
understand risks seen by other areas (legal, finance, etc.)
• Use Compliance team members in ERM projects, as leaders
or participants, such as reviewing or auditing certain crossdepartmental controls, developing key performance
indicators, or improving management ERM reports.
– Better integrate ERM controls with compliance
“policies and procedures.” Frequently self-assess
the ERM program against Compliance initiatives
group-wide for any gaps or areas of duplication.
28
• Widen the audience who receives news
of compliance breaches, and increase
focus on the “group-wide” impact of
compliance violations.
• This will help the ERM team and management, see compliance
problems from multiple angles, in terms of the potential harm
to the company’s reputation, loss of business, and strained
agent, broker or reinsurance relationships.
• Communication of how compliance risks actually develop, and
how they are managed or dealt with in practice, helps
educate other departments about losses inherent in the
business, and potential solutions for mitigating future losses.
29
Conclusion: Compliance as Star Performers
• Despite the challenges that Compliance professionals may
face while implementing an ERM program, they can also
provide crucial skills, wide perspective and valuable insight to
help a company assess legal and regulatory risk.
• Solid compliance risk management is crucial to enterprise risk
management, and can provide a strong foundation for broader
evaluation of risks and controls across the company.
• Compliance professionals should be star performers on every
ERM team.
QUESTIONS ??
THANK YOU !