The new FSA rules mean directors are nowin charge of ensuring proper controls are in place. Adrian Leonard says this signals a new era of risk management within non-life companies

Risk management of non-life insurance companies is rising high up the agenda in UK boardrooms, analysts' conferences, and shareholders' meetings. Two factors are driving this revolution: external pressure, including regulatory action such as the Turnbull guidelines on corporate governance for listed companies; and the simple awareness of new threats in today's more complicated world (as highlighted by rogue traders and massive bankruptcies) and the desire to mitigate them.

Insurance companies face more regulatory pressure than most. Alongside that with which all UK businesses must comply, insurers have to contend with the weighty rulebook of the Financial Services Authority (FSA). Since N2, the day last year when the FSA's rules had to be implemented, another new driver has been accelerating the risk management renaissance among UK insurers: SYSC, the FSA's senior management systems and controls.

Control systems
SYSC extends rules about management responsibility for risk management issues from banks to all FSA regulated companies - including insurers. Previously, all companies ought to have had such controls in place to prevent disaster for their own benefit, but now they must do so in order to comply with regulatory requirements. Having control systems is not enough: they must be documented, with responsibilities assigned and records of risk management processes made and kept.

Assigning and reporting responsibility - deciding where the buck stops and telling the regulators - is a key part of the new rules. "There is a much clearer allocation of responsibility to directors," says John O'Roarke, managing director of Churchill Insurance. "Board members are directly responsible for ensuring proper measures and controls are in place, and directors must be able to demonstrate that they are satisfied they have met those obligations."

In addition, responsibility for individual risk decisions must be logged. Each time a particular risk is assessed, the complying company must record the nature of the risk, as well as the level of management at which decisions about that risk were taken.

O'Roarke describes the extension of risk responsibility under N2 as "very directive", particularly in its assignment of responsibility. "It says the chief executive of the regulated business has to allocate responsibilities for each of the controlled functions, and for all of the business risks the companies might face. It pitches it at the highest level."

Degrees of impact
N2 was 1 December, 2001. While there was no ensuing compliance panic - insurers had been preparing for more than a year- the impact of SYSC was felt to varying degrees by all insurers.

Most view it in a positive light. Keith Jackson, director of business risk and compliance at Norwich Union (NU), says: "In a simple sense, N2 probably did not do a great deal to our risk management, although it pushed along things we were already looking at." When he joined NU

15 months ago, the UK giant had already implemented "pretty robust risk management processes predicated on Turnbull".

Yet N2 has driven the process further along. Jackson mentions the devolution of audit committees from the group level to the business unit level. "We are looking at how we use non-executive directors on those committees. At the divisional level we use surrogates, but we are looking at getting non-executive directors involved, in line with FSA best practice. N2 has been a really good reinforcement. The emphasis on systems and controls has put risk management into sharper focus, and underlined its importance."

Groupama chief internal auditor John Ellender says the company positioned itself in advance of N2 by establishing a compliance function and upgrading the internal audit function.

"The key thing we have done is to say we need to have a risk based auditing (RBA) resource to ensure the right resources are allocated in the right areas," he says.

Simply adding another layer of administration solely to meet FSA requirements would serve little purpose, he says.

As for SYSC, Ellender says apportioning responsibilities for risk management functions has led to an extension of job descriptions, and the concurrent assessment of existing control processes revealed areas that were not documented to the extent required by the new rules. But, overall, the impact was limited, he says. "We haven't actually changed where responsibilities were, but we are now much more aware of what is happening. And we have made sure processes are properly understood. There were some gaps, but none of them was very significant."

At fast-growing Churchill, the evolution of risk management procedures has been greater. "We are forming a risk management committee that is specifically tasked with ensuring [risk management] obligations are met," O'Roarke says.

"Its role is not just to satisfy N2, but to identify and consider all the business risks we face, and to mitigate those risks where possible. If we choose not to, because it is too expensive or impractical, we have to document that we have gone through the thought process and it has been properly considered.

"We will continue to do a lot of the things that we always did, but we now have to document them more rigorously."

O'Roarke says three simultaneous events have spurred risk management action at Churchill. First is growth. "Today our business is six times bigger than it was six years ago and, as a result, is massively more complex," he says. "Second is greater focus on corporate governance generally in the business world, and third is the particular requirements of the N2 regime."

More awareness
O'Roarke stresses that the main driver is the business need to improve risk management structures. Trends and compliance are secondary issues. "The process has increased the awareness among the management team of risk management issues. There is now a feeling that if we don't get this right, it could be very damaging to the business."

Much work has been done to satisfy the N2 regime. "We have documented all our business risks, we have risk logs for each of the business areas or risk areas, and we have done a lot of documentation of systems of control for mitigation of risk," he says. Meanwhile, more work is underway. "The committee is at its formative stage. We are just putting together the list of people."

Again he mentions that the drivers are not just compliance, but the straightforward need to protect the business, employees and the decision makers involved. Failure to do so could be costly. "Considering the position insurance companies are in today, it is unthinkable that you could not do it," he says. "At a corporate level, it could be enormously damaging to your business and your reputation. Personally, for directors, the cost could be a sentence at Her Majesty's pleasure."