In the midst of the insurance industry's “conference season,” all ears have been to the ground listening for the rumblings of approaching challenges, trends, and regulatory changes. Here are a few of the most resonant enterprise risk management (ERM) and compliance concerns that are likely to be taking up the mind space of insurers through the end of 2013:

Continued Focus on Catastrophes and “Super Storms”

The Insurance Regulatory Examiners Society Foundation recently held its National School of Market Regulation, which featured a regulator roundtable. Echoing current industry business and regulatory compliance challenges, the property and casualty hot topic was catastrophes and “super storms.” What else can states do to help prevent losses? Several state regulators spoke about special sessions to pass or improve statewide building codes, with “Build high, build strong” as a motto. In Missouri, for example, regulators found that structures constructed or improved under new building codes put in place as a result of hurricane Rita were better able to withstand subsequent storms.

Earthquake risk was highlighted as an area that needs to be better addressed by Congress at a national level. Less than 15 percent of real property is thought to be insured in California, and other areas of the country have seen seismic activity recently. The Washington Monument is currently closed as a result of earthquake damage two years ago, a reminder that the East Coast also has significant fault lines. Regulators are concerned with increasing construction activity in the areas along the New Madrid Seismic Zone in Missouri. Recent examples of damage in New Zealand demonstrate it takes only one major earthquake to devastate communities unaccustomed to dealing with structural damage. Companies such as Allstate have been talking to various state departments of insurance to help them better understand the risks and are inviting regulators to view actual damage from disasters firsthand.

Some suggestions for improving national earthquake response efforts go beyond building codes. Currently, not all mortgage lenders require earthquake insurance in known danger zones and the federal government does not help replace homes or personal property. The Department of Homeland Security's Federal Emergency Management Agency (FEMA) and state government disaster-relief programs are primarily designed to help individuals get immediate emergency assistance for temporary shelter and food only, as well as low-interest loans for those who qualify.

Insurers that sell residential property insurance in California must offer earthquake coverage to their policyholders. This kind of law may be adopted by other states as well. In states such as Missouri, regulators are paying close attention to carriers offering disaster coverage, keeping a close eye on rates, forms and increasing deductibles for earthquakes and other catastrophes. Another suggestion being discussed is for more state-sponsored residual market coverage, or a federal government bond or back-stop specifically for earthquake, such as exists in the Terrorism Risk Insurance Act, or TRIA.

Health Care Reform

During life and health regulator roundtables at the IRES School of Market Regulation, health care reform was a lively topic of discussion. Clearly state regulators and carriers alike are struggling with big-picture issues such as health care industry structures, and re-imagining what insurers' business models might look like in the decades ahead. How health care will ultimately be financed, and by whom, is still in flux. Disbursements are also a question – who is going to make up “missing money” to providers if there are gaps in coverage? Will there ultimately be a fully insured market?

On a practical level, companies and regulators alike are grappling with how personal health data will be stored, transmitted and used, and how technology may serve the industry by providing more meaningful analytics about loss history and trends. Of more immediate concern, high volumes of rate and form filings are problematic, as companies are required to implement new coverage forms to reflect changes in state plans. It is an exploding workflow issue for compliance professionals in both companies and state insurance departments.

RMORSA Reporting

On the enterprise risk management side, the National Association of Insurance Commissioner's 2012 adoption of the Risk Management and Own Risk and Solvency Assessment, or RMORSA, model act is now a major driver of insurance company ERM and capital-management practices. The act, which each jurisdiction now needs to adopt into state law, requires insurers to embed comprehensive risk-management practices, and report on its current and prospective solvency estimates to its home state regulator.

A RMORSA panel at the IRES School of Market Regulation included state regulators Bill Harrington of Ohio and Brett Barratt of Utah. From a regulator's perspective, the RMORSA model act was enacted to help state supervisors better evaluate company solvency. However, the panel stressed that ERM in general should be embraced as a helpful tool for managing a company's business strategy as well as mitigating risk in an insurer's day to day operations.

What are regulators looking for in company reporting of their risk program? An ERM strategy must work for the company, and be easy to apply. Regulators will want to see that risks are proactively owned, monitored and reviewed on a regular basis. They will be checking to ensure that new risks are clearly identified and that both threats and opportunities are perceived and evaluated.

Employees at all levels of the company need to understand the program. How risks and controls are identified and measured should be clear, and everyone needs to be vested in the process. Having the process be too complicated will backfire. Examiners will also want to “hear the same story” from everyone if interviewing people throughout the company about the ERM program.

Companies should thoroughly consider and embrace other uses for the RMORSA report and associated ERM documentation outside of legal or regulatory requirements. The RMORSA report can serve as an excellent internal communications tool for guiding discussions with senior managers across departments, the Board and its committees. It can also be an important tool for communicating with external analysts and rating agencies.

Panelists emphasized that it should be much easier for companies to make strategic decisions when all of its risk and control management information is together in one place, and companies will continue to develop meaningful internal reporting and dashboards in addition to providing external-facing reports.

The RMORSA report may also serve as a helpful roadmap for state examiners, external auditors, as well as self-audits. The report should show at a glance the companies most key risks and their associated controls, measuring control effectiveness and any procedural gaps. Ultimately, having the RMORSA report may save internal resources on control and audit management, focusing staff and money to the risks and controls which most need attention and would have the most impact on the company's bottom line of risk-based capital allocation.

“Top of the Mind” Issues for CROs and Risk Practitioners

At the 11^th Annual Enterprise Risk Management Symposium sponsored by the Casualty Actuarial Society and the Professional Risk Managers' International Association, or PRMIA, the keynote roundtable featured senior leaders in enterprise risk management. Six panelists, including representatives from Guardian Life, Zurich Insurance, and Lincoln Financial Group discussed industry “Top of the Mind” challenges. Key issues include:

Continued low interest rates in the U.S. are driving companies to seek diversified assets on a global basis in the short term, and in the longer term may lead to an insurance crisis, especially for life companies who had priced policies long ago with an interest rate assumption that was significantly higher than current stagnant rates.
Companies are struggling to both manage and maximize the underwriting, claims, and industry trend data available today. Analytics, the investigation and communication of meaningful patterns in statistics and data, can significantly help predict and improve business performance. However, how much data can and should be used? What is too little or too much data to maximize the cost/reward equation?
On the human resource side, the shortage of experienced insurance talent appears to be getting worse. Insurance professionals on the whole are an aging group, and many companies have had hiring freezes, or have not invested in mentoring and training new recruits, over the past few years, particularly after the 2008 financial crisis. This trend is evident in state insurance departments, as well as insurance companies and related firms such as brokerages and agencies. This age of historically low staffing is clashing with a period of higher regulatory activity, and more federal and state supervision of company risk management controls and compliance processes. How companies and state regulators are going to practically manage implementation of new global regulatory financial solvency and risk management initiatives remains to be seen.

Aligning Technology within an ERM Framework

Several panels at the Global Strategic Management Institute's 2013 Governance, Risk Management, and Compliance Summit focused on implementing and executing a comprehensive strategy for governance, risk and control management. One of the major challenges for insurers this year is implementing or improving current risk management tracking platforms.

Many companies are just now designing comprehensive risk management frameworks, and are looking for technology platforms to support their program as it becomes more mature. Other institutions have been grappling with spreadsheets and manual processes to manage their risk and control assessments, and run capital analysis out of data that is difficult to analyze, manipulate and report on in a consistent way.

No matter what their stage of maturity, to better prepare for a higher stage of ERM maturity, companies must look for systems which are able to handle both (a) how similar risks in different departments can be aggregated and “rolled up” to a higher level, as well as (b) how different risks impacting each other may be correlated. Companies should also be testing common combinations of risks in various scenarios. For example, earthquake or flood events may be immediately followed by riot or fires. Several losses in a neighborhood or wider geographic area, such as with the recent Oklahoma tornados, may cause serious long term business loss due to the regional economic collapse. Predictive models may not follow a normal distribution, but may exponentially increase when two types of disparate damage converge.

However, several speakers noted that it is not necessary to have just one “mega” technology platform for this analysis. Companies currently appear to be investing in point solutions for different departments, to manage such disparate functions as compliance and market conduct risk, auditing/SOX functions, and operational risk. Having different point solutions is only effective, however, when there is an overarching risk and control framework which is aligned with the company's business strategy. Different functional areas with different systems can still benefit each other and provide meaningful information by using the same risk management language and libraries. IT systems can be managed together under an over-arching framework or program, so they can interface and provide centralized reporting.

Special Reports /

&quot;All Ears To The Ground&quot; for Advancing Risks

Related Stories

Recommended For You

"All Ears To The Ground" for Advancing Risks