Do Insurance Companies Really Need Risk Management?
Steven Minsky | July 25, 2018
Risk management in the insurance business is a bit of a head scratcher. On the one hand, insurance companies are selling what many people consider to be a risk mitigation. On the other hand, insurance companies themselves face a variety of risks they need to mitigate.
Let’s briefly consider a misconception about insurance as it pertains to risk management. Too often, people think insurance is a sufficient, catch-all control activity. But while insurance is a perfect way to protect a business from many risk scenarios, there are other scenarios insurance just can’t cover. Oftentimes, insurance does not cover the core competency of a business.
Insurance companies can “self-insure” or purchase coverage from a reinsurer, but this doesn’t ensure all of the company’s risk is accounted for. One of an insurance company’s core competencies is providing customer service to those who need to submit a claim. If customers consistently have poor customer service experiences, they’re likely to share their stories on social media, tarnish the company’s reputation, and the company will fall behind the competition.
How Can Insurance Companies Benefit from Risk Management?
According to a recent study, the National Association of Insurance Commissioners (NAIC), core risks in the insurance business include “underwriting, credit, market, operational, liquidity risks, etc.” Given this wide variety of concerns, there is a tremendous opportunity for risk management in insurance companies to make a positive impact.
To return to the customer service example above, let’s look at how enterprise risk management could help. Risk management involves identifying, assessing, and mitigating risk. The beauty of a well-implemented risk management program is it’s built on a foundation of standardized risk assessments to help companies prioritize their risk based on its potential impact. Naturally, this process will surface risks that will impact the business’s core competencies.
For an insurance company, customer service would inevitably come to the forefront of a risk assessment. To address this risk, the insurance company could take steps to integrate incident management and risk management. Most companies have a way to track incidents like customer complaints, but many do not have a way of categorizing, prioritizing, and escalating incidents across teams. Risk management in the insurance business helps centralize and identify trends in the customer feedback. From there, insurance companies can implement controls to address those trends, such as hiring more customer service reps to resolve long wait times or implementing call-screenings to identify less-than-helpful interactions.
Improving customer service is only one example of how insurance companies can leverage risk management. A fully integrated enterprise risk management program can help insurance companies develop proactive mitigation activities to protect the core of their business.
Risk Management in Insurance Companies Ensures Compliance
Insurance companies operate under the increased scrutiny of an ever-changing regulatory environment. Risk managers are expected to fully understand how changes at the federal and state level impact their organizations, as well as meet customer expectations for substantial coverage with fair requirement and claims processes.
The NAIC’s expanded Own Risk and Solvency Assessment (ORSA) requirement is just one example of a changing regulation designed to accommodate regulator and consumer expectations. ORSA is defined as “an internal process undertaken by an insurer or insurance group to assess the adequacy of its risk management.”
ORSA goes beyond the SEC disclosure requirements that have universal applicability. It requires firms to “analyze all reasonably foreseeable and relevant material risks…that could have an impact on an insurer’s ability to meet its policyholder obligations.”
The minimum threshold for an ORSA program requires yearly analysis of all material risks. Companies must prove risk assessments have been undertaken at the organizational level where the risk activity takes place, not just at the senior management level. Organizations ensure this occurs by setting a “tone from the top.”
To determine how well your organization’s risk management program meets regulatory and consumer demands, including ORSA requirements, take the complimentary RIMS Risk Maturity Model. Recommended by the NAIC and Institute of Internal Auditors, the RIMS Risk Maturity Model benchmarks the strength of your risk management program and enables you to identify areas that need the most improvement.
ORSA compliance alone can be a major risk management challenge without a connected ERM solution and risk management information system that consolidates information. When any manager can evaluate risks in his or her own sphere of responsibility, however, it’s very easy to “roll” assessments up to the next level. Reporting, whether for annual ORSA assessments or a board meeting, becomes a simple matter of presenting information that already exists in the system.
The insurance industry will likely face a changing federal regulatory landscape in the years ahead. Multiple regulatory influences at the state, federal and international levels continue to present significant challenges for the industry; the effect of Dodd-Frank on insurance companies remains uncertain; and how to classify insurance companies as systemically important financial institutions (SIFIs) still requires clarification. This is only a short list of items creating uncertainty in the insurance industry. Risk management enables insurance companies to succeed among this uncertainty by anticipating and addressing a wide variety of change before risk materializes.