What profound changes we have seen in the insurance industry in just the past year! After working for insurance and reinsurance companies for many years, I was away from the industry for several months. When I returned, the number of major changes in the legal, regulatory, and risk environments surprised me. I can certainly relate to the story of Rip van Winkle, awakening to a world of new ideas and advancements.
One year ago, the biggest concerns I faced as in-house counsel and compliance officer included the Non-Admitted and Reinsurance Reform Act, new Medicare claim reporting requirements, and increasingly onerous privacy regulations. These issues now seem pale in comparison to the issues inherent in health care reform with the passage of the new Patient Protection and Affordable Care Act.
In my previous role at a U.K.-owned company, our compliance team had started major work on Solvency II-related initiatives, but it was an effort I viewed as primarily impacting our overseas affiliates. Today, I marvel at how much progress the National Association of Insurance Commissioners (NAIC) has made on a similar “solvency modernization” plan over the past 12 months, working diligently—often with foreign regulators—toward improvement of global accounting, financial reporting, and capitalization review standards.
But nowhere have industry changes been more apparent than in the area of enterprise risk management (ERM) – loosely defined as the process of planning, organizing, leading, and controlling all activities of a company in an integrated fashion in order to minimize the effects of risk on a company’s capital and earnings. Just a short time ago, the insurance industry was becoming familiar with ERM initiatives, with a key focus on assessing risks specific to legal departments. As a department head, I reviewed what other managers identified as their concerns, and understood that somehow all of this information was going to be wrapped up, attested to, and shared with the Board. However, it sometimes seemed like ERM was going to be just another layer of compliance reporting and paperwork, and, perhaps, an operational headache.
Fast forward to a year later, and we are now in a world where ERM has become one of the most important and valuable management tools for insurance companies. Actually, I feel like Risk van Winkle. I see that increased focus on ERM by regulators, auditing firms, and rating agencies have heightened pressure on carriers to adopt robust ERM processes.
Just from a regulatory perspective, progress has been swift. Last July, the Wall Street Reform and Consumer Protection Act (aka the Dodd-Frank Act) was signed. In an unprecedented move toward federal oversight of insurance, the Act created a new Federal Insurance Office (FIO) within the Treasury Department. The FIO will collect information and monitor most lines of insurance, and is also charged with recommending improvements to the state-based regulation of insurance. Within the FIO’s planned formal study and report on the regulatory system, due in 2012, carriers’ ERM practices are expected to play an important role, and may serve as a foundation for future federal regulation.
At the same time, the NAIC has been promoting the adoption of ERM strategies with more force. For example, this past December, the NAIC adopted a significant revision to the Insurance Holding Company System Regulatory Act (Model 440) and the Insurance Holding Company System Model Regulation (Model 450), requiring holding companies to report elements of enterprise risk at least annually.
Additionally, the NAIC is currently discussing potential requirements for companies to provide formal “Own Risk and Solvency Assessments” (ORSAs). A formal ORSA regulation would mandate that companies carry out regular reviews of all of its risks enterprise-wide—whether insurance, market, credit, operational or strategic—and evaluate their current and likely future solvency or capital needs in light of the company’s own risk tolerance and business plans.
As if awakening from a dream, I am trying to clear the fog of this new risk-clouded world—and I’m discovering that many other insurance professionals share this feeling. We all need to learn the new risk language. We need to determine what exactly are companies doing for ERM to meet these new requirements? How will companies now manage their compliance and regulatory policies and procedures on a day-to-day basis to support wider risk and control reviews? What are the best practices for integrating risk reporting with financial reporting and capital planning? How are regulators and auditors testing and evaluating insurer ERM?
These are all questions I plan to address with this new blog. I hope it will help serve as a blueprint for others grappling with ERM issues. We’ll discuss emerging risks and find out what the heck really is “stress testing.” For those of you who are ERM apprentices, I’ll cover the basics. For those of you who may consider yourself ERM artisans, I will ask for your advice and opinions. So grab a cup of coffee, and let’s all wake up!