Office of Corporate and Financial Regulation January 2006 Issue: Risk-Focused Approach to Solvency Monitoring The Risk Assessment Working Group (formerly known as the Risk Classification Subgroup), of which Pennsylvania is a member, was formed to develop a structure for evaluating the risk inherent in an insurer’s operations with the ultimate goal to make financial analysis and examinations more effective and efficient. In the past, insurance markets have developed from state to state, reflecting differences in demographics and geography. However, as insurance markets become more competitive and financial markets converge, the structure and operations of the industry are changing. The complexity of new products and the speed at which they are introduced have increased dramatically as insurers compete with other divisions of the financial services sector. As the insurance industry evolves and complexity increases, the regulatory environment must also enhance its current supervision process to better identify the risks insurers are assuming. On the global and domestic frontier, many financial institutions and trade organizations are assessing the need to restructure their current risk management systems. As the financial services industry launches products that contain the use of derivative and other complex investment features, many entities are implementing more futuristic tools for measuring these products’ financial risks. Firms in all sectors are giving attention to the effectiveness of their risk assessment and management systems, including the allocation of capital to cover their risks. In response to these market developments, a number of regulators have introduced a “riskfocused” approach to supervision. In the banking sector, this approach has been adopted by the Federal Reserve, OCC, OTS, and FDIC, as well as banking regulators in other countries. In 1997, the Basel Committee on Banking Supervision, an international association of banking supervisors, released its Core Principles for Banking Supervision. According to the Core Principles, “Banking, by its nature, entails taking a wide variety of risks. Banking supervisors need to understand these risks and be satisfied that banks are adequately measuring and managing them.” The Basel Committee has subsequently issued guidance describing best practices for bank management of various risks. In addition to banking regulators, insurance regulators around the world are adopting a riskfocused approach to supervision. Examples can be found in the UK, Canada, Australia, and Sweden, among other countries. The Core Principles for Insurance Supervision, developed by the International Association of Insurance Supervisors (IAIS), support regulatory processes that ensure the prudent management and control of risk concentrations by insurers. The recent enactment of the Sarbanes-Oxley Act of 2002 requires all publicly traded companies to significantly enhance management controls associated with financial reporting. The requirements imposed by this legislation will provide state regulators with an enhanced ability to perform the risk assessment contemplated by the Risk Assessment Working Group by leveraging off of the work performed by these companies. The NAIC/AICPA Working Group has developed revisions to the Model Audit Rule designed to implement the pertinent portions of Sarbanes-Oxley for non-publicly held insurance companies. The timeliness of the enactment of Sarbanes-Oxley and the heightened concern about sound corporate governance in today’s environment will assist the NAIC in working towards enhancing risk assessment in the financial solvency oversight function. 1 Office of Corporate and Financial Regulation January 2006 Through their activities, insurers assume a variety of risks, as that is the essence of an insurance transaction. The type of risk and its significance varies by activity. Investment activities may involve credit risk, market risk and liquidity risk. In product sales, insurers may assume catastrophe risk, market risk, pricing/underwriting risk, strategic risk or liquidity risk in varying degrees depending on the product. Over the years, state insurance regulators have developed numerous tools that address the risks insurers assume. Investment laws limit the market and credit risk insurers can assume. Limitations on net retentions help address catastrophe risk. Riskbased capital requirements establish capital levels in recognition of a variety of risks. Insurance regulators have always considered the risk profiles of licensed insurers and the activities that may pose risk to the company in the future. Although prior on-site financial examinations were based on a risk-focused approach, that approach primarily focused on financial reporting risk. Solvency issues generally are a result of operating risks that were not mitigated by adequate controls to an acceptable level. Inadequately controlled operating risks may take several years to be reflected in the company’s financial statements. The revised risk assessment approach was developed by the NAIC in response to a recommendation by the Risk Assessment Working Group, of which Pennsylvania is a member. The recommendation was based on the need to enhance the qualitative aspects of examination and financial analysis functions. The Risk Assessment Working Group determined that solvency surveillance needed a broader risk focus to become more proactive in identifying emerging solvency issues. When the revised approach is utilized by regulators, examination activities will be enhanced by a risk-focused methodology that more clearly directs the selection of financial statement verification to only those accounts with the greatest risk. In addition, the examination will also assist in identifying strategic and operating risks, investigating mitigation strategies for those risks and developing recommendations to reduce risk to an acceptable level. A broader, organization-wide business risk assessment that also focuses on strategic and operational issues enhances the process for evaluating the entire solvency risks inherent in an insurer’s operations. The enhancement in the risk assessment process and supporting tools will also benefit the ongoing financial analysis of the insurer. In 2004, the NAIC Risk Assessment Working Group adopted the Risk-Focused Surveillance Framework whose five principles set the foundation for the enhancement of the risk assessment components for financial analysis and examinations. The Framework consists of the following five functions, all of which are currently performed under state insurance regulators’ current financial solvency oversight role: Risk-Focused Examinations Off-Site Risk-Focused Financial Analysis Review of Internal/External Changes Priority System (CARRMELS) Supervisory Plan 2 Office of Corporate and Financial Regulation January 2006 The Risk Assessment Working Group determined solvency surveillance needed a broader risk focus to become more proactive in identifying emerging solvency issues. The purposes of a Risk-Focused Surveillance process is (1) to detect as early as possible those insurers with potential financial trouble; (2) to timely identify noncompliance with state statutes and regulations; (3) to compile the information needed for timely, appropriate regulatory action; (4) to provide a clearer methodology for assessing residual risk in each activity under review and to explain how that assessment translates into establishing examination procedures; (5) to allow the assessment of risk management processes other than those that result in financial statement line item verifications, for example, the effectiveness of the board of directors and other corporate governance activities, thus providing an introspective look at the operations and quality of the risk management processes of the insurer; and (6) to allow for the utilization of examination findings to establish, verify or revise a uniform company priority rating. The system of financial surveillance advocated by the Risk-Focused Surveillance Framework is designed to provide continuous regulatory oversight. The risk-focused approach requires fully coordinated efforts between the financial examination function and the financial analysis function. There should be a continuous exchange of information between the field examination function and the financial analysis function to ensure that all members of the department are properly informed of solvency issues related to the state’s domestic insurers. Responsibilities of the analysts in the Risk-Focused Financial Surveillance Framework (1) to monitor the states’ domestic insurers; (2) to provide input for a regulator-wide prioritization and internal department priority systems; and (3) to provide department management with timely knowledge of significant events relating to the domestic insurers. This information is to be used by the field examination function as input for scheduling and staffing of examinations. All these elements allow for examinations that emphasize the analysis of an insurer’s current or prospective solvency risk areas as well as the fair presentation of surplus. To conduct an effective risk-focused examination, examiners must have adequate training and experience and appropriately involve key regulatory functions in the department, since sound judgment must be exercised at every stage of the examination process. Enhanced risk assessment is not intended to add additional hours to the examination process, but to assist the examination teams in better allocating available hours to the most critical risks facing the companies they regulate. In order to ensure the confidentiality of an insurer’s internal risk management processes, the work product of any risk assessment should, to the broadest extent possible, pivot off of the statutory examination function. That process, and all the information resulting from that process, can be held confidential under existing law for those states that have adopted the Model Law on Examinations. Two sub-groups, of which Pennsylvania is a member of both, were appointed to take the Framework and all its components and incorporate it into the Examiners Handbook and the NAIC Financial Analysis Handbook. The resources needed to process the aforementioned revisions have not been insignificant. The changes to the Examiners Handbook have been drafted and twice exposed for comment. The proposed comments from regulators and interested parties are currently being reviewed by the members of the Risk Assessment Working Group. The Financial Analysis Handbook sub-group has not yet started its work. 3 Office of Corporate and Financial Regulation January 2006 The Risk Assessment Implementation Sub-Group, of which Pennsylvania is the chair, has been formed to develop a plan for risk assessment implementation. The Framework is the basis for that implementation. The enhancements proposed would tie all of them together in a more cohesive manner that can be consistently applied by state regulators. The sub-group will need to address insurance department staff training in multiple areas such as risk assessment overview; changes to the examiners and analysis handbooks; interviewing skills; effective examination planning through understanding the Company; assessment of corporate governance initiatives including internal audit, external audit and Sarbanes-Oxley; utilizing the qualitative and quantitative elements of risk assessment; communication with to enhance the insurer profile; traditional substantive examination testing; recommending revisions to and compliance with accreditation standards; teammate best practices; examination result products; examination wrapup and updating the financial surveillance plan. Clearly defined consistency of the risk-focused concept between the analysis and examination guidance and accreditation standards will need to be accomplished for a risk-focused approach to achieve maximum benefit. 4