How Lucky Do You Feel?
Why enterprise risk management and business continuity planning are more important than ever.
Enterprise risk management (ERM) has become one of the most important and valuable management tools for insurance companies. Increased focus by rating agencies and regulators has heightened pressure on carriers to adopt robust ERM programs. Recent developments at both the state and federal level over the past several years, including the NAIC Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA), will drive ERM initiatives further. What does this mean for claims professionals as companies try to integrate their traditional compliance and risk management activities into a larger ERM program?
Entering the Wider World of Risk
Enterprise risk management is the process of planning, organizing, leading, and controlling all activities of a company in an integrated fashion in order to minimize the effects of risk on the company’s capital and earnings. While individual business units—such as claims, underwriting, or compliance—typically manage specific kinds of loss or risk for the company, an ERM program has a much broader scope. Its view is of the “whole world” of risk throughout a company.
Claims-related risks are only part of the ERM picture, but can be some of the most significant risks to the company from a compliance, financial, and market conduct perspective, ranking as high priority for managerial action. Whether companies are being driven to ERM to further business or financial goals, regulatory compliance targets, or rating agency standards, many of the insurers’ core goals affect the claims department, including:
Better identification of claims and losses, as well as emerging risks, to minimize surprises or shocks to the company’s capital and earnings;
Beefing up controls and risk mitigation techniques, including claims-specific policies and procedures;
Achieving cost savings and efficiencies by better ranking competing risk and control priorities and allocating resources to higher priority items more effectively;
Improving the overall strategic and capital planning process; and
Securing a reputational or competitive advantage by leading the adoption of industry ERM risk and control assessment best practices.
A New Perspective
Adopting an ERM program and looking at risks through multiple perspectives across the organization is often a major cultural change for many companies. For the claims area, an ERM initiative can lead to new ways of looking at compliance risks and controls as more attention is paid to a thorough quantification of risk, as well as the ripple effects a claims compliance breach may have in other departments or functional areas, such as legal, compliance, underwriting, and finance.
The first step in the ERM process is generally a risk assessment phase, which consists of identifying current and emerging risks by business unit or department. A risk library, or risk register, listing all risks of the company is the ultimate product of the assessment phase. A similar process is completed to catalog all of the company’s controls that mitigate risks.
Once risks are identified, they can be rated and prioritized by their significance, typically using metrics like frequency (the likelihood of a risk occurring, usually classified on some scale from “very unlikely” to “very probable”) and severity or magnitude (the financial impact of the risk, should it occur, or a consequence).
Risks and controls may be reviewed with respect to their impacts on other company operations or departments. Resources and activities can then be focused around the most dangerous risks and the most beneficial controls. Note, however, that while even the most effective controls won’t necessarily eliminate 100 percent of all risk, well developed, sustainable controls can have a direct financial impact on a company, helping to prevent large losses or regulatory fines, fees, or penalties.
With all the above information at hand, knowing the full range of risks it faces and controls at its disposal, a company can tackle some practical business decisions. In the final strategic analysis phase, managers may discuss the allocation of company resources and evaluate whether potential gains will outbalance losses in a proposed course of corporate action. ERM strategic analysis can be used to help answer questions such as:
Should we enter into a new line of business or develop a new product?
Should we expand and open a branch office in a specific location?
How much capital should the company hold in reserves?
Often, part of any analysis will include an evaluation of the company’s actual or potential claims that may result from a new product or office location, considering also the political, social, legal, and regulatory environment. It also may necessitate the development of new claims policies and procedures to mitigate loss prior to undertaking an activity. Having strong controls that mitigate the downside of risk, a company then can focus on the upside of risk—pursuing business opportunities.
Implementing ERM – The Benefits
Under a robust ERM framework, there are many benefits to the claims department. Prior to the implementation of an ERM program, companies often approach risk control and compliance activities with a silo approach; there is little or no collaboration or standardization of mitigation techniques or controls between business units.
Bringing risk management for multiple departments into one ERM program or function significantly improves the company’s chances of managing risks well and can help the claims function, in particular, to do its job better. Foremost, having an ERM program broadens the relationship between claims and other business units in the organization. Discussions of potential loss faced across the enterprise by an action, event, or activity can deepen all participants’ understanding of interdependencies between departments. Claims, legal, and compliance staff, where previously segregated or siloed, become more aligned, facilitating the sharing of regulatory and compliance information of common interest.
Communications and overall relationships may also improve between claims and other operational departments, such as underwriting, actuarial, and finance. There may be more analysis or transparency around how claims and claims reserves impact overall capital of the company. As a result, implementation of a formal ERM risk assessment process often provides new perspectives on how information about the company’s risks should be organized and managed, including claims-related risks. This new perspective often leads to reassignments of resources and staff responsibilities, warranting new or revised workflows, managerial approval procedures, or attestation processes.
Major Claim Risks for ERM
First- and third-party claims, whether settled quickly or litigated, are typically one of the insurer’s largest and most obvious sources of financial loss. However, an ERM program is likely to focus more narrowly on distinct risks specifically relating to, or arising out of, the claims-handling process. Such risks could include and be documented as:
Improper or erroneous claims handling, leading to marginally larger claim payments than expected;
Payments for claims handling made in bad faith; and
Settlements, fees, or fines relating to consumer complaints generated by claims handling.
Another significant source of claims risks is potential violations of insurance laws and market conduct regulations.
Common Challenges for Claims in the ERM Process
While claims professionals may be used to regularly assessing the value of concrete losses in the claim reserving process, valuing potential or emerging risk for an ERM risk assessment is often more complex, factoring in a wider range of data and variables. Correlations between multiple claims, such as the aggregation of property claims or the relationship of claims arising from a products liability loss, must also be considered. In this way, risk assessments in the claims department may be handled slightly differently than in other functional areas.
Risk assessments may also be more challenging for claims than for some other departments. Severe shock losses arising from claims handling are not uncommon, particularly in the litigation of bad faith cases, where financial losses are high but the frequency of risk is low. Extreme variances in potential loss can skew the evaluation of claims-handling risk and distort a projection of trends to make a risk seem more serious than the average historical data would otherwise predict.
Also, evaluation of risk can be complicated by the high potential for aggregation of risks/losses from certain claims-handling activities across hundreds of claims. For example, one mistake in a claims settlement calculation program, or failure to recognize a change in one important state law, may get magnified significantly when the mistake or failure continues across many claims.
Another challenge involves the process of documenting, monitoring, and improving key controls that mitigate loss. Without claims controls and day-to-day written claims-handling policies and procedures, insurers are at risk for significant losses. Of note, failures of claims controls, such as inability to meet claims regulations and keep claims policies and procedures updated, rank high among the top 10 criticisms found on market conduct examinations, according to Wolters Kluwer Financial Services’ annual market conduct surveys. Such violations have resulted in millions of dollars of fines, fees, and penalties.
Further, many statutes address not just claims matters but also policy wording requirements, consumer complaint issues, or general compliance mandates. Each claims policy and procedure must therefore be drafted and evaluated in light of multiple considerations, such as:
The specific law(s) or regulation(s) being addressed;
An evaluation of resources available to implement and maintain the control;
All risks of non-compliance (financial as well as reputational);
The company’s general philosophy and appetite for compliance; and
Customer relations, local business, and market custom and practice distinctions.
As a result, it’s not always clear who within the insurance organization needs to respond to potential claims-related risks, how best to respond, and how to keep updated with laws in order to update policies and procedures and track updated risks within the ERM framework. Assigning accountability for controls is critical to managing risk.
A final challenge is determining how to best communicate current claims-related losses, likely potential losses, and emerging risks as part of the company’s ERM program. Information may need to flow both to and from claims and senior management, other departments, or a risk team. To maximize ERM efforts, companies may need to adopt a wider and more detailed distribution of claims losses and historical data, as well as developments in other business units, sharing more information than what may have been shared in the past.
Improving Claims Participation in ERM
To meet these challenges, everyone involved in ERM and claims efforts should work together, aligning themselves in a common framework with common goals and a coordinated approach. For the claims professional, participation in the ERM process can be improved by the following:
Claims should receive more advance notice of, and more information about, regulatory changes, new product lines, business partners, vendors, and other strategic issues faced by underwriting teams as well as other operational departments.
Consider ways to better integrate ERM controls and claims policies and procedures, making sure that where there is an identified risk there is a control and that the control is documented in an up-to-date policy and thorough day-to-day procedure. If there is a claims procedure, identify and document what risk it is trying to control. This kind of “gap analysis” can be helpful not only to prevent or mitigate direct losses, but also avoid market conduct criticisms.
Within the ERM program, make sure to discuss the potential groupwide impact of improper claims handling on the company’s overall reputation, including direct loss of business and strained agent and reinsurance relationships.
Invest in technology to automate and facilitate compliance and regulatory change management tasks, tracking and disseminating claims and corporate policies and procedures, and managing overall ERM programs to ensure all interested parties are in the loop on risk matters. With systems automating and streamlining the claims compliance and ERM process, insurers can have a more transparent view of risk within their organizations.
Despite the challenges that their department may face while implementing an ERM program, claims professionals provide crucial skills, wide perspective, and valuable insight to help a company assess claims handling and related risk.
Denise R. Tessier is a senior regulatory specialist, insurance risk and compliance, at Wolters Kluwer Financial Services. She has been a CLM Fellow since 2012 and can be reached at (781) 907-6662, www.wolterskluwerfs.com.