Compliance and Risk Management for Managing Agents

The European Commission is pushing ahead with the implementation of so-called "Basel II" into the insurance sector with Solvency I, coming into effect on the 1st January 2004, and Solvency II under discussion. These changes require the industry to implement sophisticated risk management techniques.

These instruments introduce a requirement for managing agents to have an adequate risk management system. Implementation of the requirements comprises four stages: the setting of goals and strategy; the identification and assessment of risks; the implementation of controls; and ongoing monitoring and reporting.

Whilst insurance is about risk management the FSA will change both the regulatory environment and the industry dynamics. These changes include proposals that managing agents will need to show that they are managing significant prudential risks and be accountable to the FSA, rather than just the Society of Lloyd's as has been the case to date.

From the work Eurobase has done in developing and implementing business performance and risk monitoring systems, it is clear there are great differences between companies in their understanding of the impact of, and in their degree of preparation to handle, the changes required to manage their insurance, operational, credit, liquidity and market risks as required by CP178.

Risk analysis and reporting to the Lloyd's franchise and capital providers will become more significant in the future. Under CP178 the managing agent is required to calculate the information for risk adjusted capital requirements and to maintain the necessary records consistent with risk based approach. Ultimately an insurer's management of risk will affect its credit rating and ability to raise capital. However, few companies seem to be treating this issue seriously at the moment.

In meeting the needs of the monitoring and reporting requirement of various directives, insurers need management information that is sufficient to identify, measure and control all the material risks in the business to enable prompt action to be taken as business performance and risk varies outside of accepted parameters. As such, the information to be gathered should be structured so that it has impact and meaning for each layer of management, from the governing body to operational supervision.

Instrument 2002 also requires that the management information is not just concerned with statistical historical data, but considers a range of possible outcomes. Hence the results of stress and scenario testing should be provided, to help insurers identify the financial impact of risks under varying conditions. Most companies find it impracticable to meet this requirement with the systems they have today. For example how long did/will it take the market to assess the impact of the Twin Towers tragedy? Given the effort and time expended on an actual event, how can one expect companies to model several scenarios in order to understand potential exposures?

The need for consolidation across syndicates cannot be ignored.

One of the problems is that meeting the needs of risk management requires managing agents to consolidate information from a number of disparate systems, including underwriting, claims administration, management and financial accounting. This is often time-consuming, as different systems treat data differently and all this has to be resolved to produce a report at a managing agent level. Different systems within different syndicates cause problems with the accuracy of data and the timeliness of reports for many agents. As under CP178 there is a requirement on managing agents to diversify their exposure to market and credit risk etc., the need for consolidation cannot be ignored. This is because the insurance risk at syndicate level may compound at managing agent level.

Once the data quality issue has been solved it is important to ensure that it does not lead to "information overload". A more intelligent solution is required, such as a system that monitors and reports against a number of key performance indicators (KPIs) at each level of the organisation. This implies a hierarchy of data, starting with data integration from all the companies' processing systems leading to a business intelligence level for monitoring operations and then an analytics capability which enables risk management. The analytics are geared to the organisation's KPIs, which are often unique to the company - being the practical realisation of how the organisation differentiates itself from the competition. This KPI approach enables executives to look at the overall business performance, and risk profile, of the company, identify any areas of concern and then drill down into the detailed data as required enabling preventative actions to be initiated.

A typical KPI "dashboard" contains data on operational performance along with budgets to enable performance monitoring on an active basis. The information held should include both financial and underwriting performance. This will allow a comparison to budgets and variance analysis along with risk/reward data to enable capital allocation decisions to be made based on a risk adjusted capital adequacy basis. In this manner the company's management can ensure that the overall corporate risk policy is being implemented and any risks outside of this policy identified for management action.

Need to act now

However, collecting data from today's operational activity is only part of the solution. It is widely recognised that five to seven years of history is required for meaningful statistical analysis of the likelihood and impact of operational risk. This means that it will take some time before insurers are able to analyse their complete risk profile and allocate capital to cover those risks in a systematic way. In the meantime it is important for insurers to start implementing the risk management principles in order to gain experience and build up the necessary infrastructure that is required. On this basis Eurobase has found it is better to start implementing the business analytics solution taking an evolutionary approach in order to build understanding and start gaining payback sooner rather than later.

Given the way that the FSA is moving with regard to introducing risk management into the compliance regime, then insurers need to be moving now or risk being at a disadvantage compared to those who, through better risk management practices, are able to reduce their capital adequacy requirements. That way, insurers will already be better prepared for compliance with the proposals that will eventually emerge from the CP178 and Solvency II consultative documents.