| |
COVER
STORY |
| |
| |
|
| |
Risk
Management &
Internal
Control in Insurance
Audits
The insurance
industry is a
typical industry
that has blossomed
in the last few
years. Since it
is a risk-based
industry, it is
closely governed
by regulatory
bodies like IRDA
and related legal
statutes. As far
as risk is concerned,
there is a basic
conflict that
needs to be balanced.
On the one hand
it is desirable
to have the largest
possible amount
of capital, as
this reduces the
risk of total
claims exceeding
its capital resources
and on the other
hand, the amount
of capital in
hand should be
kept as small
as possible so
that the insurer
can earn an attractive
return on invested
capital for its
shareholders.
Risk Management
tools
An insurance company
has to adopt a
structured approach
to risk management
with various risk
management tools
in the form of
:
•
Risk Status Control
Checklists
•
Safety level indicators
in the form of
Ratios and Absolute
figures with 'On-line'-'Red
Flag' response,
on safety level
being breached
•
Periodic comparative
charts and snapshots
of key figures
focused on specific
risk factors with
emphasis in the
following areas
:
•
Underwriting
•
Systems Reliability
•
Actuarial assumptions
- Pricing and
Loss Reserving
•
Adherence to investment
policy and constant
review
•
Compliance with
solvency regulations
•
Compliance with
Investment Regulations
•
Accounting policies
in accordance
with regulations
•
Industry benchmarking
Risk Management
in Life Insurance
Business - External
Risks
Catastrophic occurrences
would affect life
insurance companies,
in so far as they
are not included
in the exclusions
in the contract.
Insurance companies
could be pro-active
to face such eventualities.
•Develop
a reserving model
(actuarial valuation)
which include
assumptions considering
a probabilistic
occurrence of
catastrophes and
provide for the
same on a rational
basis
•Obtain
updates from geological,
meteorological
and other relevant
institutes to
prevent underwriting
under known circumstances
(more relevant
to General Insurance
companies).
Risk is an integral
part of the insurance
business. Organisations
are beginning
to see the need
to make risk management
a key competency
in order to ensure
optimum performance.
Care must be taken
to observe the
following in this
direction:
•The effectiveness
of the organisation's
risk management
process must be
monitored continuously.
•While line
managers should
be primarily responsible
for risk management
activities (self-assessment,
reporting, etc),
internal audit
can monitor the
effectiveness
of the entire
risk management
architecture.
Risk factors under
Business Process
can be categorized
as inherent risk
factors and control
risk factors:
1) Inherent
Risk Factors
- The identification
of inherent risk
requires a review
of the insurance
company's operations
during the detailed
planning process
by taking into
account general
business characteristics
stated below.
These are relevant
for all business
processes.
•Business
Structure
•Products
•Business
Relationships
•Company
Culture
•People
2) Control
Risk Factors -
The control risk
factors pertain
to the operations
within individual
processes. The
potential errors
which could result
from these risks
would generally
relate to genuineness/validity,
valuation/measurement
and cut-off/completeness.
•The ensuing
slides under Business
Process Risks
deal with the
Control Risk factors
relevant to life
insurance companies.
•It should
be noted that
at the commencement
of business specific
emphasis should
be placed on inherent
risk factors by
considering the
impact of various
business characteristics
Strategic Planning:
The initial strategic
plan of the company
determines its
future survival,
growth and stability.
It is extremely
essential that
the strategic
plan is well thought
in all respects
including market
positioning, consumer
trend forecasting
and organizational
structure.
The controls to
mitigate risks
in case of Strategic
Planning include:
•Forecasts
and perceptions
of the political,
economic and industry
developments to
be appropriately
made for the success
of the business
plan
•Brand positioning
to be planned
appropriately
considering target
client base and
the dilemma involving
Risk vs. Investment
based products.
•Consumer
trend forecasting
to be realistic
and research based
which could have
an impact on the
success of the
products and distribution
channels.
•Resolving
organization structure
problems which
otherwise could
result in high
costs, operational
inefficiencies
and affect overall
profitability
Business Process
Risks: In order
to minimize the
business risks
care to be taken
to ensure-
•Systematic
and well researched
products, based
on reliable databases
and information,
to be developed
to avoid huge
underwriting losses
•Active
product development
and innovation
to be ensured
by introducing
new products to
maintain competitiveness
of the company
•Ineffective
use of available
international
expertise in the
area of assumptions
built into product
models as well
as the add-ons
and riders could
result in losing
market share
Underwriting is
a fundamental
process for the
operations of
the insurance
company since
it comprises of
examination and
evaluation of
applications for
insurance, the
rating of such
risks and the
establishment
of premiums. The
controls to mitigate
risks in case
of Underwriting
include:
•Clear guidelines
issued to the
staff with respect
to underwriting
resulting in minimal
discretion and
less flexibility
to the staff to
make decisions
•Adequate
procedures ensured
for identification
and investigation
of risks assumed
•Effective
communication
between the underwriting
and claims department
is important
•Insurance
premium rates
to be developed
in accordance
with accepted
methodologies
and regulatory
guidelines
•Systems
to be in place
to identify on
an on-line basis,
premium deficiency,
if any
•Adequate
guidelines for
obtaining reinsurance,
and monitoring
adherence thereof
Premiums are calculated
for each product
by the actuary
after considering
several factors
such as expected
rate of return
(interest rate),
payouts and benefits,
inflation rate,
mortality, morbidity
etc. The controls
to mitigate risks
in case of premiums
include:
•Written
premiums are correctly
calculated at
their appropriate
transaction amount
(from rate tables)
in accordance
with the nature
and terms of transaction
•Written
premiums relate
to bonafide insurance
risks assumed
by the insurance
company
•Consideration
is received by
the insurance
company in accordance
with the policy
terms
•Written
premiums and relevant
policyholder data
are appropriately
recorded in the
underlying financial
records and register
of policies
•Written
premiums are recorded
in the appropriate
period
Commission: This
forms a major
chunk of the acquisition
costs in case
of life insurance
business. Control
over commission
is important,
however, at the
same time adequate
incentives need
to be given to
increase business
volumes and sustain
growth. This calls
for a strategic
balance and the
controls to mitigate
risks. Controls
in case of commission
include-
•Appropriate
contractual agreements
are entered into
with agents and
intermediaries.
•The rates
and contractual
agreements entered
into are approved
by responsible
officials.
•Commission
provided and paid
pertains to bonafide
risks assumed
by the insurance
company.
•Policies
are duly suspended
on non-payment
of premium, and
where relevant,
commission is
not paid
•Commission
is paid in accordance
with the ceiling
prescribed by
the regulatory
requirements and
where no other
payment is made
to the agents
in addition to
the commission
beyond the prescribed
limits.
Reinsurance: An
insurance company
should underwrite
risks to the extent
permissible with
the available
capital resources,
and the risk in
excess of the
capital resource
capacity should
be ceded to reinsurers.
Controls to mitigate
risks in case
of reinsurance
include the following:
•Reinsurance
is effected for
policies in line
with IRDA approved
reinsurance guidelines
•Reinsurance
ceded assets and
liabilities are
properly valued,
each in accordance
with their nature
and applicable
accounting principles
reflecting the
events and circumstances
that affect their
underlying valuation
and whether reinsurance
recoverable are
collectible
•Reinsurance
ceded transactions
are correctly
calculated and
reflected at their
proper amount
(including allocation
to the correct
accounts and translation
of foreign currency
transactions)
•The financial
stability of the
reinsurers should
be monitored by
management on
a regular basis
Claims: The claims
ratio is one of
the important
ratios monitored
by insurance companies
for loss reserving
and is considered
by actuaries while
making assumptions
for reserving
and pricing. It
is closely linked
to underwriting.
Controls to mitigate
risks in case
of Claims include
the following:
•Claims
represent valid
obligations of
the insurance
company in respect
of policy contracts
in-force when
the loss is incurred
and covers the
related risk event
•Claimants
and others receiving
payments are bonafide
and entitled to
such payments
within applicable
policy provisions
•Claims
evaluation and
investigation
processes are
efficient with
appropriate supervisory
and cross controls
to avoid unwarranted
underwriting losses.
•All relevant
claims data, including
payment and recovery
data, is appropriately
recorded in the
underlying financial
and statistical
records
•Adequate
procedures for
estimation of
loss reserve (IBNR)
and relevant calculations
and assumptions
are documented
and industry specialists
such as actuaries
consulted
•Guidelines
for claims adjusting
and payment authorization
are established
and are being
followed
Investments: Returns
from the investments
determine the
increase in capital
resources and
the required solvency
margin, which
consequentially
determines the
capacity to underwrite
risks. Controls
to mitigate risks
in case of Investments
include the following:
•Investments
are adequately
safeguarded and
secured
•Investment
acquisition and
dispositions are
in accordance
with the stated
investment objectives
and policies and
are duly authorized
•Investment
objectives and
policies duly
consider asset
liability matching
and give due emphasis
to research based
investments.
•Investments
reflect all events
and circumstances
that affect their
underlying valuation
(including impairment)
in accordance
with applicable
accounting principles.
•Investments
and more specifically,
“other than
approved investments”
are monitored
by the management
on a continuous
basis.
•Investments
acquisitions and
dispositions,
market values
and premiums or
discounts are
correctly calculated
at the appropriate
amount, in accordance
with the nature
and terms of the
transaction and
applicable accounting
principles
Income: Solvency
margins of an
insurance company
depend upon regular
returns on investments
in accordance
with the assumptions
made for the purpose
of pricing and
actuarial valuation
of policies at
the year end.
Controls to mitigate
risks in case
of investment
income include
the following:
•Investment
income accruing
to the company
is appropriately
recorded and duly
received by the
company
•Investment
income represents
amounts earned
on or losses incurred
from investments
and where the
company has the
legal right to
receipt of such
income
•Investment
income is recorded
in the appropriate
period and calculated
in accordance
with the nature
and terms of the
investment and
applicable accounting
principles and
regulations
Expenses of Management:
A control over
expenses has a
consequential
impact on the
cost loading process
while pricing
of premium, which
in turn provides
a competitive
edge to the insurance
company and avoids
cash flow strain.
Controls to mitigate
risks in case
of expenses of
management include:
•Expenses
are incurred only
for the products
and services properly
ordered by the
company
•Expenses
are monitored
by responsible
officials to enable
effective cost
control and to
maintain the same
at the minimum
level appropriate
for business
•Expenses
incurred are appropriately
reflected and
recorded in the
correct period
in the accounting
records.
•The risk
of double payment
is avoided by
stamping the supporting
document as paid
•Cheques
in respect of
the payments are
made on the basis
of requisition
of authorized
signatories and
the cheque preparers
have a list of
the authorized
signatories to
confirm their
authority
•The cheques
are kept under
lock and key and
the serial numbers
tracked
IT risks can be
mitigated by robust
controls through
comprehensive
IT Security Policy
& Procedures
which cover issues
relating to :-
• Logical
& Physical
Access of IT systems
• Computing
Environment management
• Communication
Systems Management
• Network
Security Management
• Third
Party & Outsourcing,
etc.
IT
Systems
risks:
Information
Technology
(IT) has
become
a key
enabler
in improving
effectiveness
and efficiency
of Business
Operations.
However,
use of
IT gives
rise to
risks
as well.
These
Risks
include
:-
•
Inherent
risk within
Information
Technology
which
could
lead to
security
breaches,
hacking,
etc.
•
Weak business
controls
in IT
applications
which
could
lead to
fraud,
manipulation
of data
etc.
•
Lack of
availability
or change
in IT
systems
leading
to adverse
impact
on reliability
of business
operations.
|
Further, regular
reviews are required
to ensure these
controls are in
place & working
effectively to
ensure Confidentiality
& Integrity
of Information.
Availability of
IT systems is
strategic for
business operations
as a lot of reference
is done from stored
data about policyholders.
Failure in information
systems could
lead to disruption
of business processes
and so adequate
Disaster Recovery
Planning needs
to be done and
implemented to
ensure continuity
of business even
in case of non-availability
of IT systems.
The data obtained
from the IT systems
should be reliable
and free from
any processing
errors or other
system errors.
The reports generated
from the Computerized
Information System
(CIS) form part
of the Management
Information System
(MIS) of the company,
which consequentially
affect the decision
making process.
Controls to mitigate
risks include
•Log of
processing errors
to be generated
from the system
to identify data
integrity issues
•Periodic
review of information
reports from the
system to confirm
data validity
and reliability
vis-à-vis
source documents
•Adherence
to IT equipment
operations instructions
to avoid possibilities
of processing
errors
It is essential
to have the data
in soft form to
obtain information
readily and to
enable performing
analysis on past
data. Thus data
banking is of
vital importance,
especially in
case of actuarial
related functions,
where the depth
of the database
determines the
quality of the
assumptions used
in the pricing
and reserving
models. Controls
to mitigate risks-
•The company
has in place adequate
disaster recovery
procedures with
data backups available
on-site, as well
as off-site
•The data
storage media
are periodically
tested to ensure
the reliability
and efficacy of
storage media
being used
•A data
storage log is
maintained and
the same is reviewed
by a responsible
official
Information is
the key strategic
edge for growth
in business. The
confidentiality
of data is extremely
essential to avoid
misuse of the
data by unauthorized
users and by competitors.
The impact could
vary from a small
business loss
to a significant
effect on the
operations of
the company. Controls
to mitigate risks-
•Adequate
access controls
in place such
as login IDs and
password controls
•Limited
access rights
are given to view/alter/enter
data at different
levels where the
same are defined
by the administrator
Checklists:
It is imperative
that Insurance
Companies have
a Compliance Officer
who ensures compliance
with all relevant
laws and regulations
and formally submits
periodic compliance
reports based
on a compliance
check using Checklists.
(Author is Sr.
Manager in Walker
Chandiok &Co
in the Audit &
Assurance division.
He can be contacted
a Sudhir.Pillai@wcgt.in)
|
|
|
|
|
|
