In the rodeo arena, it is amazing to watch how quickly a wild, bucking, obstinate animal becomes controlled and subdued by the agility and technical roping skills of the cowboy.

In the enterprise risk management (ERM) arena, risk management professionals perform similarly amazing feats, rounding up and lassoing a herd of risks that are potentially dangerous, unpredictable, and hard to manage. They do this using a system of effective internal controls.

Internal controls consist of all the measures taken by a company to help ensure that its full stable of potential risks or losses are well managed, in light of the entity's business objectives. As described in my May 25 blog, it is the ultimate goal of an ERM program to establish a suite of specific techniques, policies, and procedures to reduce or mitigate identified risks as much as possible.

While they won't operate to eliminate 100 percent of all risk, well-developed, sustainable controls will have a direct financial impact on a company. Control activities occur throughout the organization, at all levels, and cover a wide range of activities as diverse as approvals, audits, reconciliations and IT system monitoring.

Tight controls are particularly crucial to the success of insurers, whose unique risks may be unusually feisty as compared to other companies. In addition to more common and docile risks faced by any organization, insurers must rein in and tame the many intimidating risks running through:

  • Government-mandated solvency and technical reserves requirements;
  • Heavy 50-state regulatory compliance obligations;
  • Underwriting and policy issuance functions;
  • Claim-handling practices and potentially frequent litigation threats;
  • Heavy use of information systems; and
  • Many interconnected third-party and consumer relationships.

Within the ERM ring, insurers create policies and procedures, which can operate at different levels of effectiveness depending as much on the culture of the company as on the specific control techniques. Integrity and ethical values, leadership philosophy and operating style, plus the way management assigns authority, responsibility, and develops its staff, can all help secure a big payoff in the ERM contest.

Companies with an “eye on the prize” establish consistent, robust procedures in light of national and state regulation. They consider not only the cost of implementing a control, but the serious financial and non-financial consequences of not implementing a procedure. They also focus on long-term strategic success, rather than short-term profitability or growth indicators as performance goals.

The specific tools and strategies used to herd risk vary by company and depend on line of business and the nature of the risk itself. However, as a general rule, a basic saddlebag of control activities includes:

Strong Talent. Competent, well-trained managers and staff with clear lines of responsibility that are documented in written job descriptions and procedures manuals are good investments.

Segregated Duties. Separating authorization, custody, and record keeping roles of fraud or error by one person can help reduce the chance of errors or irregularities. It also fosters operational efficiency and allows for timely, effective communications between team members.

Supervision and Monitoring. Reviews and analyses of actual results versus ERM plans and corporate goals, operational reviews, and other key performance indicators are essential to verify that controls are operating properly.

Documentation and Record Retention. Thorough recordkeeping that substantiates transactions provides reasonable assurance that all information and business dealings are accurately recorded and retained.

Physical and IT Safeguards. Locks, fences, physical barriers, etc. to protect property are important for safeguarding company property and other kinds of assets. Today, security efforts also encompass information processing or data protection and privacy, and include usage of passwords, access logs, etc. to ensure access will be restricted to authorized personnel.

For insurers, powerful, rearing losses may need firmer handling. Carriers have thus developed specialized, stronger reins to help lead and break unruly risk:

Underwriting Guidelines. Written underwriting guidelines document company appetite for risks, set out authorities, scope out classes of business written, and establish consistent policy limits, all in line with business plan goals. Underwriting guidelines are often hitched to automated system controls—particularly helpful for verifying that authority levels and aggregation thresholds are not breached. Additional controls include peer reviews, controls around policy issuance processes, and monitoring aggregation of underwriting risk assumed in specific locations.

Claims Handling Guidelines. Claims handling guidelines or manuals set forth company policy and best practices standards for day-to-day claims handling, based on legal requirements and local insurance department rules. They also may address internal controls and procedures for mitigating claims-related business risk, such as establishing reserves, pursuing subrogation, or performing claim audits.

Regulatory Compliance Systems. IT systems can spur companies on toward better risk management. Tailored IT systems help companies mitigate many risks, but can be particularly helpful in managing regulatory compliance or legal risk, enabling insurers to comply with laws such as those affecting entity licensing, policy rate and form filings, consumer relations, terrorism reporting, anti-money laundering, and fraud detection.

Formal Financial and Investment Policies. Insurers are heavily reliant on investment income for profitability, and are keenly impacted by general financial market conditions. Accordingly, detailed contracts, protocols, and designation of authority levels are used to control investment management activities, financial decision-making, tax and accounting-related transactions. Written statements of investment strategy are important controls to help ensure transparency and consistent application of policies in day-to-day operations.

Controls for Managing Third Parties. Insurers typically rely on a number of third parties to help run their business, and have many representatives acting on their behalf in fiduciary capacities. This includes managing general agents, outside adjusters or claim administrators, and other vendors. Thus they must establish clearer, more detailed procedures for managing such relationships than perhaps exist in other sectors. For example, they may delegate authorities more formally, execute thorough written contracts with appropriate indemnities, and establish supervision protocols through regular site visits or frequent audits.

While insurers have advanced significantly in their risk-roping efforts, there are no perfect controls—and any control system has weaknesses. These limitations can include human error, inadequate staff for risk management functions, insufficient financial funding for control efforts, and general lack of education or training. The degree of control and the extent or steps needed to perform a procedure may not be commensurate to a risk. The financial cost of implementing a control may exceed the expected benefit.

However, some control is usually better than no control at all, and where there is control weakness, there also may be room for improvement. To maximize control effectiveness, companies may consider:

  • Establishing a dedicated, centralized corporate function for risk management, which may bring an objective or neutral “second pair of eyes” and fresh perspective to controls established on a by-department basis;
  • Linking individual performance measures and compensation to the success of controls assigned;
  • Striving to make controls mostly “preventive” and not “detective,” dedicating more resources to front-end controls like staff training and education, and investing in IT systems that will help make day-to-day compliance with policies and procedures much easier;
  • Designing procedures and workflows so that they cannot be easily circumvented, which may mean more automation, management, or audit review; and
  • Ensuring that department-specific controls are being reviewed routinely, match what is actually done in practice, and are updated as necessary to reflect the changing risk environment. In addition to internal audit's responsibilities for control assurance, regular departmental self-assessments should be conducted by managers and staff owning significant risks.

In corralling risk with robust system controls, companies gain comfort that they are complying with applicable laws and regulations, and that published financial statements are accurate and reliable. They have a better understanding of where their resources can be used efficiently, and minimize the occurrence of “surprise” claims, losses, or workflow disruptions. In the end, companies seek assurance that their strategic objectives are being achieved. Effective controls help win the ultimate purse.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.