Time to revisit risk and controls environment considering the recent developments in Insurance industry

Whilst all businesses are trying to manage and develop ways to adapt to the new post-pandemic working environment, the insurance industry in particular is dealing with changes on multiple fronts. Some of these changes are regulatory-driven, whilst others are motivated by the aspirations to enhance efficiency in operating models.

Insurers need to adapt in a much more agile way to manage the risks around evolving processes, digitisation of operations, and changes to operating models. As such, it is important to evaluate the potential risks that insurers may be exposed to through such changes and design a mechanism to manage those risks.

The following three areas should be the key focus for insurers:

1. IFRS 17 implementation

• Define the IFRS 17 control framework. It is critical to embed a robust control environment over end-to-end processes. The new standard is more complex, it involves more calculations, and it will be harder for stakeholders to understand it in the short-term. Therefore, it is key to embed controls that ensure accurate and understandable results.
• Ensure accountability for all processes. Input data for the majority of IFRS 17 models and user-deployed applications will be sourced from actuarial, pricing, policy, and multiple financial systems. It is fundamental to define clear roles and responsibilities and hold control owners accountable.  This can be done by mapping individuals to their respective role in the process and creating a structure that ensures smooth flow of information both to management and within teams.
  
• Liaise with external auditors. External auditors are likely to take control reliance over complex areas such as the General Measurement Model (GMM). It is important for management teams to liaise with them early in the process as key financial controls over complex areas are being designed and implemented.

2. ESG regulations and related updates

• Work with the audit committee to define the framework to report on ESG metrics. Audit committee members should understand how ESG risks are identified and how the controls that are set in place manage those risks, working along with management teams to define the ESG reporting framework. Audit committee should also define the governance structure to continuously monitor and evolve the ESG reporting process.    
• Perform comprehensive analysis to identify ESG-related risks. ESG-related risks and controls may not be fully captured in an existing financial risk framework. To identify additional ESG-related risks that might affect a company, management teams should conduct a gap analysis to identify areas that need improvement to comply with the Task Force on Climate-Related Financial Disclosures (TCFD) requirements.  For example, these risks can result from the implementation of new processes or the use of data and systems used to capture ESG KPIs.

3. Risks introduced through transformation programs 

• Identify the risks introduced due to introduction of third parties in the ecosystem. Insurers are increasingly turning to third-party technology partners for services. In such situations, organisations are introduced to new risks and, if these are not addressed appropriately, they will lead to costly remediation activities later. It is necessary to identify upfront the risks and controls remaining within the organisation versus those sitting with third-party providers. This determines decisions around how risk and controls frameworks evolve.
• Understand the risks involved in technology change. A lot of insurers are moving from traditional waterfall project delivery methodology to agile methodology. Whilst the waterfall method is a very linear way to manage change, the agile methodology is characterised by a greater volume of change and more iterations. Insurers should continuously evaluate their risk exposures and take appropriate actions to mitigate those risks. This involves designing and embedding appropriate controls where necessary.

To wrap up 

Outlined below are some of the questions that must be considered when designing a transformation program.

• Have you assessed the effectiveness of the risk and control framework that governs IFRS 17 models and support IFRS 17 reporting?
• Have you performed a review and identified opportunities to enhance and include ESG related risks and controls?
• Have you evaluated the current transformation programs through the lens of risk and controls to derive maximum value through such changes?
• Have you identified the opportunity to enhance the governance forums/mechanism to review the controls environment and address the emerging issues?