Underwriting put to the test: Process risks for life insurers in the context of qualitative Solvency II requirements

Transcription

1 Underwriting put to the test: Process risks for life insurers in the context of qualitative Solvency II requirements Authors Lars Moormann Dr. Thomas Schaffrath-Chanson Contact You can download the Knowledge Series at August 2011 Introduction In the context of Solvency II implementation, the regulatory requirements are focusing on the main processes, one of which is the underwriting process, a core component of new business in life and as such a significant risk from a Solvency II perspective. We will first examine the extremely multifaceted process with regard to its susceptibility to operational risks and then in the light of the Pillar 2 requirements for governance (especially outsourcing), ORSA (Own Risk and Solvency Assessment), compliance and internal control systems, before briefly describing how a reinsurer can help its life insurance clients to minimise and manage the risks. Does every step in a process constitute a risk? Underwriting put to the test Description of process Solvency II s so-called principlebased approach has a particular bearing on insurance companies compliance with Pillar 2 s qualitative requirements. Whilst Solvency II makes allowance for proportionality and gives companies a certain room for manoeuvre in designing their own structures and processes from a risk-management perspective, clear requirements are emerging for the identification, evaluation, management of an insurer s processes and the associated reporting, though the implementing regulations are still being drafted and political consultations are still going on. 1 1 The Level 2 and Level 3 texts ( Delegated Acts and Technical Standards respectively) in the Lamfalussy process are still in course of preparation, so that it is as yet too early to place reliance on them. Therefore, in addition to the Level 1 text, this paper is based on the following sources: CEIOPS-DOC-29/09, System of Governance; CEIOPS-IGSRR-09/08, Own Risk and Solvency Assessment (ORSA); CEIOPS-PII-11/07, Risk Management and other Corporate Issues; CEIOPS-DOC-50/09, Supervisory Reporting and Public Disclosure Requirements.

2 Page 2/8 Fig. 1: Example of a traditional underwriting process Sales process Proposal input Underwriting Issue policy or decline Internal underwriter Proposal checker Client, Sales Start Simple assessment Documentation straight-forward not Questionnaire check Additional assessment Documentation Decline proposal Validate and approve not not straight-forward Loadings, etc. without reinsurance with reinsurance End External risk assess. Reinsurer subject to queries Qualified assessment subject to queries Specific assessment Reinsurance quotation Underwriting plays a key role in a life insurer s operational processes, as it functions as a point of entry for new contracts, and hence risks. It is therefore natural for underwriting always to be considered one of the core processes for Solvency II, and it has to be subject to the systematic procedures of an internal control system both in its constituent parts and as a whole. Figure 1 shows an example of how the complete process could look following formal assessment of a proposal. It is immediately clear that the process involves numerous functions and departments. Apart from the proposer (customer), the internal functions such as sales and proposal assessment, and risk assessors with their varying views on the new risks, other outsiders may also be involved: External risk assessors such as specialist and panel doctors Reinsurers for specific questions or cover issues On closer examination, it becomes apparent that not all proposals are subject to one or more assessment stages, which are intended to ensure that the qualitative risk assessment is totally effective. Some of the proposals may be straight-forward and can go through the process to acceptance of the new policy with no further assessment. However, proposals usually go through various assessment loops in the example as many as three separate assessment stages with documentation of the results. The further procedure depends on the result of each step: If the result is negative, the proposal is declined. If the result is positive, the simple assessment is followed by a questionnaire check, which forms the basis for an additional assessment. If the result remains positive, the proposal is approved. If a positive result is qualified, external partners are approached to provide a more in-depth risk assessment. For example, panel doctors can examine the proposer to enable a particular risk to be more precisely assessed.

3 Page 3/8 Fig. 2: Operational risks in the underwriting process Sales process Proposal input Underwriting Issue policy or decline e Internal underwriter Proposal checker Client, Sales a Start c Simple assessment d Documentation b straight-forward not Questionnaire check h Additional assessment Documentation Decline proposal k Validate and approve not not straight-forward l Loadings, etc. without reinsurance with reinsurance End External risk assess. Reinsurer f subject to queries Qualified assessment g i subject to queries j Reinsurance quotation m a Systems/processes Questions inadequate Poor software Call centre information already incorrect b Fraud Incorrect information used for assessment Fully automated processes c Systems/processes Input errors Data protection risk Database errors d Fraud Incorrect information used for assessment e Systems/fraud Imprecise questions Incorrect answers, incomplete forms f Processes/fraud Incomplete instructions, unclear mandate, no policy Corruption g Systems/processes Data protection Failure of external partner Incorrect results No further check h Processes Incorrect interpretation of questionnaire responses i Systems/Processes Divergent definitions PI/RI Incorrect information results in further errors j Systems/Processes Data protection Data transfer k Processes Limit/trigger reached or already exceeded No underwriting guidelines l Processes No dual control m Processes Incorrect information Following this additional assessment, the reinsurer can also perform a specific risk assessment that, due to its more comprehensive database or more extensive specialist knowledge, contributes to achieving a more reliable medical or actuarial assessment and hence to the final quotation. Finally, after the last check and approval, the proposal is priced before being passed on for issue of the policy. Operational risk The scope of the second pillar of Solvency II includes the identification of risks using a risk analysis of operational processes. This risk category has been defined as follows in the EU s Solvency II Directive:, Operational risk means the risk of loss arising from inadequate or failed internal processes, personnel or systems, or from external events. 2 2 Cf. Directive 2009/138/EC, Article 13.

4 Page 4/8 Operational risks arise through weaknesses and incidents in the following four areas: Processes Systems Human error or fraud External events We focus below on risk analyses of the first three areas, as losses resulting from external events, for example fire damage to buildings, do not relate specifically to the underwriting process. As is the case for other processes, operational risks of that kind are managed in the areas of premises security or resumption of interrupted operations. However, some event types associated with information security, namely phishing, hacking, social engineering and data theft, pose a significant risk for underwriting. In this article, they are grouped under terms such as data protection and data security. The extent to which underwriting is exposed to operational risk is clear from the definition: The underwriting process is founded on the information provided by the proposer or the sales function. The health questions in the proposal process represent a necessary hurdle that has to be cleared to progress and are particularly open to error and incorrect information, creating a risk that the entire process might be based on erroneous or deliberately falsified input data. The underwriting process comprises numerous interfaces, for example throughout the internal operational processes, and additional external interfaces with partners such as agencies, medical centres and experts. Highly confidential personal data are transferred at every interface, creating risks of data loss, erroneous data transfer and incompatible IT systems. The involvement of internal functions and outside partners can lead to operational gaps, for example failure to define liability issues properly in policies. The operational risks indicated in Figure 2 can be applied to the actual interfaces and people involved in the process. It is apparent that, in the systems risk area, both data protection and system quality give rise to operational risks. In addition to unavoidable human error, false statements and attempted fraud constitute significant risks, which are, however, difficult to assess. The interfaces to external partners mentioned above can pose particular problems: Data protection risk involved in using and transferring personal data Unexpected failure of an external partner, with no alternative resources available Varying assessment results due to imprecise or even contradictory definitions, e.g. between insurer and reinsurer Imprecise or erroneous guidelines are a frequent cause of risk in the form of weaknesses in processes. For example, if no clear outsourcing policy is in place, it is difficult for a life insurer to manage its external partners, which can lead to incorrect assessment results and shortcomings in data protection. If dual control is not applied at key points in the assessment process, there will be insufficient controls and their quality will suffer, which can increase the error rate or encourage fraud. Particular attention should therefore be paid to ensuring that descriptions of process chains, defined access rights, clear definitions, complete and correct policies and guidelines, fully functional limit controls, and internal controls are in place for processes. When considering the human factor for risk-management purposes, it is useful to distinguish between error and deliberate misconduct. The former risk can generally be reduced through system support along the entire process chain, whereas deliberate misconduct can arise anywhere where there is so much as a theoretical possibility of exploiting a technical, procedural or human weakness with fraudulent intent. 3 Figure 3 shows the main categories of operational risk. 3 Useful information on assessment of financial loss through fraudulent acts can be found at Ernst & Young: European fraud survey 2011 Recovery, regulation and integrity.

5 Page 5/8 Fig. 3: Categories of operational risk Processes No dual control No underwriting guidelines No process chains, e.g. full automation No outsourcing policy No limit/trigger controls Incorrect access rights to processes/data Lack of internal controls Inconsistent definitions Risk of specialists not being available Human error Inadequate underwriting, insufficient enquiry Incorrect input and data transfer Errors/failure: inappropriate pricing Lack of expertise, e.g. in internal audit However, as the details of the Solvency II implementing regulations are still being fine-tuned, it is likely that, in the absence of pressure to adapt underwriting processes, they are not yet fully, or are only partially, in line with Solvency II s extended qualitative requirements. Since the regulations are still in the course of being drafted, this paper should be considered as a first overview to increase awareness of the importance of qualitative risk management. Systems No systems for checking plausibility Defective/ineffective/outdated IT systems Lack of data protection/gaps in information security OpRisk cluster in underwriting process The underwriting process now and in the future The traditional underwriting process is determined by the business and sales model used by life insurers and is founded primarily on the quality of Fraud false information or internal corruption Bribery of external business partners Breach of duty of disclosure prior to the conclusion of contract the medical checks and the financial and technical assessment of proposals. At many companies, it is part of existing risk management systems put in place to avoid or reduce the operational risks described. What role will solvency II play? New governance requirements Extended requirements for structures and processes Articles in the Solvency II Directive directly or indirectly affecting the life underwriting process via Pillar 2 requirements: Art. Name Implications for underwriting and dependencies 36 Supervisory review process Relates to risk identification, segregation of duties and the monitoring of processes, and associated reporting requirements 37 Capital add-ons Possible consequence of intervention by the regulator due to inappropriate governance structures and incorrect risk profiles 38 Supervision of outsourced functions (see also 49) Relates to the willingness and ability of the external service provider to cooperate, transparency and clarity of data, methods and processes, consistency of management of an insurance company 41 System of governance In particular documentation requirements/policies and business continuity management 42 Fit and proper General obligation (cannot be delegated) to ensure that key people in senior management positions and important risk management functions have the required training and integrity 44 Risk management Relates in particular to coherence of risk identification and control and transparency of key decisions concerning core processes 45 ORSA (Own Risk and Solvency Assessment) Relates to the matching of business plans and decisions with risk strategy and the associated limit systems 46 Internal control Identification, performance and documentation of significant internal controls and assurance that compliance requirements imposed by law and the supervisory authorities are met 47 Internal audit Audits of the structures in place and compliance with processes and rules in the risk management of significant activities 48 Actuarial function Focuses on advanced functions such as data evaluation and assessments; responsible for pricing 49 Outsourcing (see also 38) 51/53 Report on solvency and financial condition Rules for protection of policyholders and obligation to ensure that outsourced activities can be inspected by the supervisory authority Reporting requirements, for example relating to risk exposure and governance, are important in this context

6 Page 6/8 A key component of Pillar 2 is the governance system, which every European insurer will be obliged to have in place in a form consistent with the specific characteristics of its operations and enhance in the years ahead. Figure 4 summarises the requirements for a Solvency II-compliant governance structure. Fig. 4: Solvency II governance structure Principles-based Solvency II framework Management is fit and proper Management s responsibility for business and risk strategy The requirements for the underwriting process should be defined in greater detail on the basis of the findings on the operational risks as described above. It is useful to allocate implementation or optimisation responsibilities for each area: Proportionality Governance requirements: Transparent structures Clear segregation of duties Documented policies Regular reviews Risk management system: Quantitative requirements Risk management function Contingency plans (Partial) internal model ORSA (Own Risk and Solvency Assessment) Internal audit Segregation of duties: Structural segregation of responsibility for risk selection and control in underwriting to avoid errors and conflicts of interest ICS: internal control system and compliance function Actuarial function Outsourcing Regular information, documentation and reports Policies: Governance, ORSA, ICS/ compliance, underwriting, risk management including limit and trigger system, outsourcing, remuneration ICS (Internal Control System): Documentation of the main underwriting processes and related key controls in the process, including clear assignment of responsibilities and regular reporting Contingency plans: Written contingency plans to be in place, with physical or virtual systems to cover the failure of external service providers and other business partners involved in the underwriting process ORSA (Own Risk and Solvency Assessment): Documentation of the risk management processes for identifying, assessing, managing and reporting on all of the company s significant risks; ensuring that there is a coherent link between the business and risk strategies and assumptions and plans based on the risk profile; adaptation of the reporting systems to the company s reporting capability, especially with regard to the acceptance and booking of new life business Outsourcing: Creation or adaptation of the procedures and processes at the company and the external service providers to be able to meet the additional regulatory requirements such as contracts, policies and accessibility and availability of information for the regulator; this means, for example, that external risk assessors or reinsurers must document their methodology for medical checks, their actuarial underwriting principles, and the databases and scientific statistics they use, and disclose them on request. This list, which at this stage is still abstract and incomplete, illustrates that, as a rule, companies must already have the necessary functions and systems available, since they need them in any case for their work processes. What is new is the extension of process logic, which had previously been geared to efficient division of labour, to take in a risk-based view of core processes as significant operational risks, which can mean that organisational structure needs to be adjusted in order to meet requirements such as segregation of duties and controllability.

7 Page 7/8 At the core, then, is the need for companies to incorporate risk awareness in their handling of their business model and the mandatory governance components, such as the multiplicity of written policies that even small insurance companies will have to have in place. Particularly life insurers, with their long-term contract periods, will have to apply holistic principles derived from the two overriding Solvency II objectives: to protect policyholders by ensuring that insurance companies always have risk capital cover in line with their risks; to create uniform rules for audits and reporting in the EU legal environment through structural, methodical and formal audit standards. Internal controls to minimise process risks Although the new qualitative requirements introduced by Solvency II will initially demand considerable additional resources, they do provide opportunities to improve the structure of processes. The ICS is the main tool as regards the operational risks in core processes, as the typical ICS key controls are applied precisely at those points in the underwriting process where the highest exposure to risk has been identified. Thus, a properly implemented internal control system meets not only the regulatory requirements, but also those relating to compliance and process performance, which is clearly in a company s own interest. There is a synergy effect, because the information provided to the insurance supervisor is derived from the same database as that needed for internal audit and corporate management. Consequently, the findings from the risk assessment and the Solvency II qualitative requirements mentioned should both be taken into account when designing an effective structure for an internal control system. Apart from fulfilling Solvency II reporting requirements, the goal of an ICS as regards risk management is to identify, control, avoid or, at least, reduce operational risks for example by applying dual control at key stages in a process. The second pillar requires companies not only to describe the risks they have identified as being significant, but also as far as possible to quantify the potential financial loss. Methodologies include maintenance of the company s own databases and expert estimates of the occurrence probability and assumed loss for a risk. Moreover, it would make sense for insurance companies to determine the losses directly expected or incurred for reputational risk as well as for operational risk, because, although Solvency II makes a distinction between operational and reputational risk, in practice operational risks that have materialised have frequently led to critical reports in the media and thus damaged a company s reputation with its stakeholders. An internal control system for individual operational risks based on the identify, assess, control principle could have the following structure: 1. Risk identification 1.1 Allocation to risk category: processes, systems, people, external events 1.2 Description of the risk 1.3 Description of the causes 1.4 Description of the effects (on existing regulations and processes) 2. Risk assessment 2.1 Occurrence of risk (e.g. daily or weekly) 2.2 Quantitative assessment of the potential financial loss 2.3 Quantitative and qualitative assessment of the potential damage to reputation 3. Risk control 3.1 Name of control 3.2 Objective and description of control 3.3 Frequency of control (e.g. quarterly) 3.4 Responsibility for design of control 3.5 Responsibility for performance of control 3.6 Review of risk control

8 Page 8/8 Support from reinsurer The role of the reinsurance partner will also change as a result of the more stringent control and reporting requirements. A life insurer using, for example, an external risk assessment and pricing tool such as Munich Re s MIRA system needs not only technical and operational security for the daily use of sensitive data in its business, but also the certainty that all legal and regulatory requirements are fully depicted and integrated. The example of MIRA highlights how assuming unchanged use of the service its formal references will alter once Solvency II has been introduced: Life insurers will prepare documentary evidence for the supervisor showing that the use of external services relating to its underwriting methodology and the underwriting processes selected has been in accordance with governance requirements. It will be based on its policies for risk management and outsourcing and a comprehensive contract. As a service provider, the reinsurer will consistently provide the life insurer with high-quality content and service, complemented by additional features such as adapted conditions of use, extended documentation or technical access for the regulator. However, these additional tool features are in any event indispensable to enable a company to meet the regulatory requirements relating to its own risk model, ICS or reporting. Fig. 5: Examples of services improving qualitative risk management Processes connect.munichre: access rights Creation of case and productspecific forms/guidelines Advice on new business processes: analysis of actuals and optimisation potential UW review: Analysis of actuals and optimisation potential Systems MIRA: coherent acceptance policy connect.munichre: best possible personal data protection Automated underwriting/uw rule sets Munich Re services Our final diagram shows some examples of the services and systems that Munich Re makes available to life insurance cedants. They provide both real technical solutions to key risk management requirements such as standard underwriting rule sets and qualitative solutions such as knowledge transfer in the form of training. The products are grouped by operational-risk category to illustrate the areas in which they can be used. Human error Qualifications for underwriters and company medical officers: Local and cross-market workshops/seminars, structured certified training and individual measures Decisions: Support from reinsurance experts and documentation Quality assurance: External dual control, underwriting audits Fraud Heightening awareness of risks in underwriting processes Heightening awareness of risks in product development/proposal process at PoS It is likely that, in future, standard and automated processes or audits will increasingly form a part of risk management at the interface between insurer and reinsurer. This would not only increase the quality of cooperation between the two, but would also become established as an integral component of the life insurer s reporting and documentation requirements vis-à-vis the regulator. With its extensive experience in building its own risk model and rapid analysis of all Solvency II-related developments from both an insurance and a reinsurance perspective, Munich Re is today already able to provide support to its cedants in areas that will be of key significance under Solvency II Münchener Rückversicherungs-Gesellschaft Königinstrasse 107, München, Germany Order number