In the midst of the insurance industry's “conference season,”all ears have been to the ground listening for the rumblings ofapproaching challenges, trends, and regulatory changes. Here are afew of the most resonant enterprise risk management (ERM) andcompliance concerns that are likely to be taking up the mind spaceof insurers through the end of 2013:

Continued Focus on Catastrophes and “SuperStorms”

The Insurance Regulatory Examiners Society Foundation recentlyheld its National School of Market Regulation, which featureda regulator roundtable. Echoing current industry business andregulatory compliance challenges, the property andcasualty hot topic was catastrophes and “super storms.” What elsecan states do to help prevent losses? Several state regulatorsspoke about special sessions to pass or improve statewide buildingcodes, with “Build high, build strong” as a motto. In Missouri, forexample, regulators found that structures constructed or improvedunder new building codes put in place as a result of hurricane Ritawere better able to withstand subsequent storms.

Earthquake risk was highlighted as an area that needs to bebetter addressed by Congress at a national level. Less than 15percent of real property is thought to be insured inCalifornia, and other areas of the country have seen seismicactivity recently. The Washington Monument is currently closed as aresult of earthquake damage two years ago, a reminder that the EastCoast also has significant fault lines. Regulators are concernedwith increasing construction activity in the areas along the NewMadrid Seismic Zone in Missouri. Recent examples of damage in NewZealand demonstrate it takes only one major earthquake to devastatecommunities unaccustomed to dealing with structural damage.Companies such as Allstate have been talking to various statedepartments of insurance to help them better understand the risksand are inviting regulators to view actual damage from disastersfirsthand.

Some suggestions for improving national earthquake responseefforts go beyond building codes. Currently, not all mortgagelenders require earthquake insurance in known danger zones and thefederal government does not help replace homes or personalproperty. The Department of Homeland Security's Federal EmergencyManagement Agency (FEMA) and state government disaster-reliefprograms are primarily designed to help individuals get immediateemergency assistance for temporary shelter and food only, as wellas low-interest loans for those who qualify.

Insurers that sell residential property insurance in Californiamust offer earthquake coverage to their policyholders. This kind oflaw may be adopted by other states as well. In states such asMissouri, regulators are paying close attention to carriersoffering disaster coverage, keeping a close eye on rates, forms andincreasing deductibles for earthquakes and other catastrophes.Another suggestion being discussed is for more state-sponsoredresidual market coverage, or a federal government bond or back-stopspecifically for earthquake, such as exists in the Terrorism RiskInsurance Act, or TRIA.

Health Care Reform

During life and health regulator roundtables at the IRES Schoolof Market Regulation, health care reform was a lively topic ofdiscussion. Clearly state regulators and carriers alike arestruggling with big-picture issues such as health care industrystructures, and re-imagining what insurers' business models mightlook like in the decades ahead. How health care will ultimately befinanced, and by whom, is still in flux. Disbursements are also aquestion – who is going to make up “missing money” to providers ifthere are gaps in coverage? Will there ultimately be a fullyinsured market?

On a practical level, companies and regulators alike aregrappling with how personal health data will be stored, transmittedand used, and how technology may serve the industry by providingmore meaningful analytics about loss history and trends. Of moreimmediate concern, high volumes of rate and form filings areproblematic, as companies are required to implement new coverageforms to reflect changes in state plans. It is an explodingworkflow issue for compliance professionals in both companies andstate insurance departments.

RMORSA Reporting

On the enterprise risk management side, the National Associationof Insurance Commissioner's 2012 adoption of the Risk Managementand Own Risk and Solvency Assessment, or RMORSA, model act is now amajor driver of insurance company ERM and capital-managementpractices. The act, which each jurisdiction now needs to adopt intostate law, requires insurers to embed comprehensive risk-managementpractices, and report on its current and prospective solvencyestimates to its home state regulator.

A RMORSA panel at the IRES School of Market Regulation includedstate regulators Bill Harrington of Ohio and Brett Barratt of Utah.From a regulator's perspective, the RMORSA model act was enacted tohelp state supervisors better evaluate company solvency. However,the panel stressed that ERM in general should be embraced as ahelpful tool for managing a company's business strategy as well asmitigating risk in an insurer's day to day operations.

What are regulators looking for in company reporting of theirrisk program? An ERM strategy must work for the company, and beeasy to apply. Regulators will want to see that risks areproactively owned, monitored and reviewed on a regular basis. Theywill be checking to ensure that new risks are clearly identifiedand that both threats and opportunities are perceived andevaluated.

Employees at all levels of the company need to understand theprogram. How risks and controls are identified and measured shouldbe clear, and everyone needs to be vested in the process. Havingthe process be too complicated will backfire. Examiners will alsowant to “hear the same story” from everyone if interviewing peoplethroughout the company about the ERM program.

Companies should thoroughly consider and embrace other uses forthe RMORSA report and associated ERM documentation outside of legalor regulatory requirements. The RMORSA report can serve as anexcellent internal communications tool for guiding discussions withsenior managers across departments, the Board and its committees.It can also be an important tool for communicating with externalanalysts and rating agencies.

Panelists emphasized that it should be much easier for companiesto make strategic decisions when all of its risk and controlmanagement information is together in one place, and companies willcontinue to develop meaningful internal reporting and dashboards inaddition to providing external-facing reports.

The RMORSA report may also serve as a helpful roadmap for stateexaminers, external auditors, as well as self-audits. The reportshould show at a glance the companies most key risks and theirassociated controls, measuring control effectiveness and anyprocedural gaps. Ultimately, having the RMORSA report may saveinternal resources on control and audit management, focusing staffand money to the risks and controls which most need attention andwould have the most impact on the company's bottom line ofrisk-based capital allocation.

“Top of the Mind” Issues for CROs and RiskPractitioners

At the 11^th Annual Enterprise Risk ManagementSymposium sponsored by the Casualty Actuarial Society and theProfessional Risk Managers' International Association, or PRMIA,the keynote roundtable featured senior leaders in enterprise riskmanagement. Six panelists, includingrepresentatives from Guardian Life, Zurich Insurance, and LincolnFinancial Group discussed industry “Top of the Mind” challenges.Key issues include:

• Continued low interest rates in the U.S. are drivingcompanies to seek diversified assets on a global basis in theshort term, and in the longer term may lead to aninsurance crisis, especially for life companies who had pricedpolicies long ago with an interest rate assumption that wassignificantly higher than current stagnant rates.
• Companies are struggling to both manage and maximize theunderwriting, claims, and industry trend data available today.Analytics, the investigation and communication of meaningfulpatterns in statistics and data, can significantly helppredict and improve business performance. However, how muchdata can and should be used? What is too little or too muchdata to maximize the cost/reward equation?
• On the human resource side, the shortage of experiencedinsurance talent appears to be getting worse. Insuranceprofessionals on the whole are an aging group, and many companieshave had hiring freezes, or have not invested in mentoring andtraining new recruits, over the past few years, particularlyafter the 2008 financial crisis. This trend is evident instate insurance departments, as well as insurance companiesand related firms such as brokerages and agencies. This age ofhistorically low staffing is clashing with a period of higherregulatory activity, and more federal and state supervisionof company risk management controls and compliance processes.How companies and state regulators are going to practicallymanage implementation of new global regulatory financialsolvency and risk management initiatives remains to beseen.

Aligning Technology within an ERM Framework

Several panels at the Global Strategic Management Institute's2013 Governance, Risk Management, and Compliance Summit focused onimplementing and executing a comprehensive strategy for governance,risk and control management. One of the major challenges forinsurers this year is implementing or improving current riskmanagement tracking platforms.

Many companies are just now designing comprehensive riskmanagement frameworks, and are looking for technology platforms tosupport their program as it becomes more mature. Other institutionshave been grappling with spreadsheets and manual processes tomanage their risk and control assessments, and run capital analysisout of data that is difficult to analyze, manipulate and report onin a consistent way.

No matter what their stage of maturity, to better prepare for ahigher stage of ERM maturity, companies must look for systems whichare able to handle both (a) how similar risks in differentdepartments can be aggregated and “rolled up” to a higher level, aswell as (b) how different risks impacting each other may becorrelated. Companies should also be testing common combinations ofrisks in various scenarios. For example, earthquake or flood eventsmay be immediately followed by riot or fires. Several losses in aneighborhood or wider geographic area, such as with the recentOklahoma tornados, may cause serious long term business loss due tothe regional economic collapse. Predictive models may not follow anormal distribution, but may exponentially increase when two typesof disparate damage converge.

However, several speakers noted that it is not necessary to havejust one “mega” technology platform for this analysis. Companiescurrently appear to be investing in point solutions for differentdepartments, to manage such disparate functions as compliance andmarket conduct risk, auditing/SOX functions, and operational risk.Having different point solutions is only effective, however, whenthere is an overarching risk and control framework which is alignedwith the company's business strategy. Different functional areaswith different systems can still benefit each other and providemeaningful information by using the same risk management languageand libraries. IT systems can be managed together under anover-arching framework or program, so they can interface andprovide centralized reporting.