STANDARDIZING CARRIER RISK

By Wendy Mills, director, KPMG LLP’s GTA Insurance practice and Tracy Capstick, senior manager, KPMG LLP’s Financial Institutions Assurance Based Advisory Services practice

Established by the Insurance Bureau of Canada (IBC) in June, the draft version of the Standards of Sound Business and Financial Reporting Practices is intended to protect property & casualty insurers against overwhelming exposures that endanger their own balance sheet integrity. The standards apply to both federally and provincially regulated carriers, and encompass the operations of foreign branches and subsidiaries.

These standards are designed as minimum measures and address only risks that present a material risk to the solvency of a company. The draft will be finalized in 2000, requiring companies to report on their compliance in 2001 or 2002. Companies, though, should look at these standards not as regulatory requirements, but opportunities to develop self-assessment tools to help them effectively focus their risk management practices and leverage their operations.

The Standards

The draft includes eleven standards that set out policies and procedures a company should utilize to address risks in five broad categories. The chart on the following page summarizes these risk categories and the eleven specific risk areas for which the Standards have been developed.

Each standard provides a definition of the risk it addresses, outlines policies and procedures which a company should have in place, sets out a requirement to document policies, and establishes processes to monitor compliance.

Due to some recent well-publicized company failures, there has been a shift globally toward self-assessment as an approach to risk and control. Development of such risk and control self-assessment programs include the Criteria of Control Board (COCO) in Canada, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the United States and the Combined Code (formerly known as the Cadbury requirements) in the United Kingdom. Many companies have developed risk and control self-assessment programs using COCO, COSO or the Combined Code.

Concurrently, the Office of the Superintendent of Financial Institutions (OSFI) has introduced a new supervisory framework that will result in an important change in the manner in which it supervises financial institutions and assesses the soundness of the financial condition of a company. This new supervisory process will focus on evaluating a company’s risk profile, its financial condition, the quality of its risk management processes and compliance with applicable regulations.

The risk categories, which form the basis of the risk assessment process incorporated in the OSFI supervisory framework, are similar to the risks addressed by the draft Standards. The risk categories used by OSFI in its supervisory framework are essentially paralleled in the risks addressed by the Standards.

Implementation of effective risk and control self-assessment programs will allow OSFI to rely on companies’ self-assessment processes. This will enable the regulator to direct more resources to organizations with the greatest risk and areas of greatest risk within an organization.

Value-added approach

Since ensuring compliance will require an organization to devote significant resources, it is imperative that the process developed is one that adds value to the organization. The two most significant benefits of complying with the standards are:

Developing an effective mechanism to manage risk; and

Creating a control-conscious environment.

There are many different approaches to ensuring compliance with the standards. Most important, though, is understanding.

It is imperative that the Board of Directors and management understand the Standards along with the implications of carrier non-compliance. This can be facilitated via circulation of appropriate materials to members of the Board and management or holding workshops with management and Board members. The Board is ultimately responsible for a company’s risk management policies and practices, compliance with the Standards and the implications of non-compliance. As a result, management should ensure that the Board obtains adequate information.

Planning

The organization needs to comply with all standards which are material, therefore, each of the key business processes should be assessed.

A material risk is defined in the Standards as a risk that has a material impact on the solvency of the company. Although not specifically defined in the Standards, materiality could be defined in terms of the potential to impair the adequacy of an organization’s reported financial results, regulatory capital or the actuary’s assessment of an organization’s financial condition. If a standard is not material, it becomes non-applicable for the purpose of the Standards. Once the material standards have been identified, a session should be facilitated with the Board and management to review the findings.

Risk Assessment

Risk assessment begins with a review of management’s strategies and key business objectives. This step includes assessing areas such as the competitive and regulatory environments and determining their impact on strategy and objectives. The risks associated with the material business processes, identified during the planning stage, should then be evaluated.

Once the risks have been identified, the controls in place to mitigate those risks should be assessed. Any residual risk should be quantified to ensure it is below acceptable levels.

Documentation and Self-Assessment

The following areas require supporting documentation:

Key business processes: Clear and concise documentation of key business processes tends to represent a good control environment and protects the organization in the event of staff absence or turnover.

Strategies and business objectives: Documentation provides a means of properly evaluating the organization against the goals set at the beginning of each year.

Significant risks: Significant risks should be documented and reported to the Board. This will provide members with an understanding of the threats that may impair the organization’s ability to meet their objectives.

Controls: Adequate documentation should support the existence of controls in place to mitigate significant risks previously identified.

Residual Risk: Where residual risk for material business processes has not been controlled to an acceptable level, documentation should support the plan to control those material risks.

Gap Analysis: At a minimum, an organization’s level of control of consciousness needs to meet the standards. Depending on the perceived value of control, the organization may choose to improve the control environment even further. A gap analysis could be completed as follows: (1) Determine the level of control consciousness by applying the costs and benefits of the implementation of the controls. (2) Develop goals to facilitate achieving the desired level of control. (3) Engineer a plan to fully implement the controls. (4) Seek Board approval for the implementation plan.

Reporting

The draft Standards envisage a reporting process similar to that required by the Program for Assessment of Regulatory Compliance (PARC) for life insurance companies. The PARC filing requirements include:

A declaration by the chief executive officer that the Board has passed a resolution stating that the Board understands its responsibilities under the Standards and that the Board is satisfied that management has taken reasonable steps to ensure compliance with the Standards.

A listing of all the standards indicating for each standard whether the insurer is in compliance, is not in compliance, the standard is not applicable or the standard is not material.

For each standard assessed as “not in compliance” a description of an action plan for attaining compliance with the standard.

In addition, OSFI may request certain information relating to the risk management program, implement
ation plan and verification procedures used to verify the self-assessment process.

The organization needs to allocate sufficient resources to monitor the implementation plan to ensure improvement goals are actually met. This could be achieved by completing walkthroughs of the key business processes to ensure they are working effectively.

The Board is required to review compliance with standards, at least annually. As a result, management should ensure material business processes are still operating effectively and benchmarking is conducted to determine whether more improvements are required. cu