Aseemingly never-ending wave of new compliance directives is perplexing insurance companies around the world, sowing confusion among insurers about how they should respond. These new requirements include Solvency II in Europe, new regulations for annuities in the U.S. (from the National Association of Securities Dealers), and the National Provider Identifier (NPI) and Medicare Part D mandates, affecting healthcare payers in the United States. And U.S. insurers also face the onerous task of complying with ongoing regulation, such as Sarbanes-Oxley, HIPAA and the USA Patriot Act.
The aim behind these mandates is greater transparency, fueled by the spate of corporate accounting scandals in the early 2000s and the insidiousness of global terrorism. Investors and regulators are seeking greater transparency into company operations and increased accountability from senior management. However, most financial services firms take a piecemeal approach within individual business units to managing risk and compliance activities.
But information that is captured and maintained in silos impedes the timely access to data essential to make critical operational decisions. And it hinders detection of potential risk events early enough to prevent them. Silo structures also inhibit the sharing of knowledge related to best practices and create redundant and incompatible data, which complicates technology decisions.
The silo approach deters exploiting common data across all business and support functions. This inhibition increases enterprise risk by impairing operational and financial performance. Further, risk management structures designed solely to meet regulatory requirements are ineffective.
An Enterprise Approach
The appropriate corrective course of action for insurers is to adopt an enterprise approach to risk management. Here's why:
- Insurers benefit from developing a risk and compliance technical architecture. Knowledge gained during the architecture project identifies the company's internal business environment and provides a decision-making blueprint for future initiatives.,
- Previous technology investments can be readily exploited. Much of the data and foundational technology are shared by various enterprise data initiatives, including risk management, compliance, corporate performance management (CPM) and customer relationship management (CRM).,
- Operational risk metrics can be tightly integrated with overall enterprise performance measurement to develop key risk indicators that map against performance goals and risk limits. This also provides early warning signals, and engenders timely and detailed companywide data reporting.,
- The vast range of information to know your customer and to ensure the control required by regulatory mandates illustrates the inseparable connection among risk management, compliance, CPM and CRM.,
Because insurance is founded on the need to manage risk, one would expect the industry to be ahead of others in initiating enterprise risk management. However, few insurers have hired or appointed chief risk officers (CROs), and few are instituting strategies and technologies to manage risk on a companywide basis.
ERM is a competitive strategy that must exceed mere compliance. An ERM initiative should explicitly align to insurers' capital allocation and growth goals. Critical success factors include:
- Identifying, measuring, monitoring, mitigating and financing all aspects of risk.,
- Instituting procedures for handling risk.,
- Computing and allocating capital based on risk tolerances.,