The specific tools and strategies used to herd risk vary by company and depend on the line of business and the nature of the risk itself. However, as a general rule, a basic saddlebag of control activities includes:

Strong Talent: Competent, well-trained managers and staff with clear lines of responsibility that are documented in written job descriptions and procedure manuals are good investments.

Segregated Duties: Separating authorization, custody and record-keeping roles can help reduce the chance of errors or irregularities. It also fosters operational efficiency and allows for timely, effective communications between team members.

Supervision and Monitoring: Reviews and analyses of actual results vs. ERM plans and corporate goals, operational reviews, and other key performance indicators are essential to verify that controls are operating properly.

Documentation and Record Retention: Thorough recordkeeping that substantiates transactions provides reasonable assurance that all information and business dealings are accurately recorded and retained.

Physical and IT Safeguards: Locks, fences and physical barriers to protect property are important for safeguarding company property and other kinds of assets. Today, security efforts also encompass information processing and data protection and privacy, and include usage of passwords, access logs, etc. to ensure access will be restricted to authorized personnel.

INSURANCE CARRIERS NEED “CUSTOM” LOSS-CONTROL PLANS  

Tight controls are particularly crucial to the success of insurers, whose unique risks may be unusually feisty as compared to other companies. In addition to the more common and docile risks faced by any organization, insurers must rein in and tame the many intimidating risks running through:

• Government-mandated solvency and technical-reserves requirements
• Heavy 50-state regulatory-compliance obligations
• Underwriting and policy-issuance functions
• Claims-handling practices and frequent litigation threats
• Heavy use of information systems
• Many interconnected third-party and consumer relationships

Within the ERM ring, insurers create policies and procedures which can operate at different levels of effectiveness depending as much on the culture of the company as on the specific control techniques. Integrity and ethical values, leadership philosophy and operating style, plus the way management assigns authority, responsibility and develops its staff, can all help secure a big payoff in the ERM contest.

Companies with an “eye on the prize” establish consistent, robust procedures in light of national and state regulation. They consider not only the cost of implementing a control, but the serious financial and nonfinancial consequences of not implementing a procedure. They also focus on long-term strategic success, rather than short-term profitability or growth indicators as performance goals.

With their unique challenges and potentially catastrophic losses, carriers have developed specialized, stronger reins to help control unruly risk, including:

Underwriting Guidelines: Written underwriting guidelines document company appetite for risks, set out authorities, scope out classes of business written and establish consistent policy limits, all in line with business goals. 

Underwriting guidelines are often hitched to automated system controls—particularly helpful for verifying that authority levels and aggregation thresholds are not breached. Additional controls include peer reviews, controls around policy-issuance processes and monitoring aggregation of underwriting risk assumed in specific locations.

Claims-Handling Guidelines: Claims-handling guidelines set forth company policy and best-practice standards for day-to-day claims handling, based on legal requirements and local insurance-department rules. They also may address internal controls and procedures for mitigating claims-related business risk, such as establishing reserves, pursuing subrogation or performing claim audits.

Regulatory Compliance Systems: IT systems can spur on companies toward better risk management. Tailored IT systems help companies mitigate many risks, but can be particularly helpful in managing regulatory compliance or legal risk, enabling insurers to comply with laws such as those affecting entity licensing, policy rate and form filings, consumer relations, terrorism reporting, anti-money laundering and fraud detection.

Formal Financial and Investment Policies: Insurers are heavily reliant on investment income for profitability and are keenly impacted by general financial-market conditions. Accordingly, detailed contracts, protocols and designation of authority levels are used to control investment-management activities, financial decision-making, taxes and accounting-related transactions. Written statements of investment strategy are important controls to help ensure transparency and consistent application of policies in day-to-day operations.

Controls for Managing Third Parties: Insurers typically rely on a number of third parties to help run their business and have many representatives acting on their behalf in fiduciary capacities. This includes managing general agents, outside adjusters or claim administrators and other vendors. Thus they must establish clearer, more detailed procedures for managing such relationships than perhaps exist in other sectors. For example, they may delegate authorities more formally, execute thorough written contracts with appropriate indemnities and establish supervision protocols through regular site visits or frequent audits.

POINTS OF IMPROVEMENT

While insurers have advanced significantly in their risk-roping efforts, there are no perfect controls—and any control system has weaknesses. These limitations can include human error, inadequate staff for risk-management functions, insufficient financial funding for control efforts and general lack of education or training. The degree of control and the extent or steps needed to perform a procedure may not be commensurate to a risk. The financial cost of implementing a control may exceed the expected benefit.

However, some control is usually better than no control at all, and where there is control weakness, there also may be room for improvement. To maximize control effectiveness, companies may consider:

• Establishing a dedicated, centralized corporate function for risk management, which may bring an objective or neutral second pair of eyes and fresh perspective to controls established on a by-department basis.
• Linking individual performance measures and compensation to the success of controls assigned.
• Striving to make controls mostly “preventive” and not “detective” and dedicating more resources to front-end controls like staff training and education. Also: investing in IT systems that will help make day-to-day compliance with policies and procedures much easier.
• Designing procedures and workflows so that they cannot be easily circumvented, which may mean more automation, management or audit review.
• Ensuring that department-specific controls are being reviewed routinely, match what is actually done in practice and are updated as necessary to reflect the changing risk environment. In addition to internal audit's responsibilities for control assurance, regular departmental self-assessments should be conducted by managers and staff owning significant risks.

In corralling risk with robust system controls, companies gain comfort that they are complying with applicable laws and regulations and that published financial statements are accurate and reliable. They have a better understanding of where their resources can be used efficiently and minimize the occurrence of surprise claims, losses or workflow disruptions. In the end, companies seek assurance that their strategic objectives are being achieved. Effective controls help win the ultimate purse.