Mr Russel Lok and Ms Esther Huang from EY in Singapore share issues keeping Chief Risk Officers awake at night, based on discussions generated from a roundtable organised by their firm.
The Monetary Authority of Singapore (MAS) introduced MAS Notice 126 Enterprise Risk Management (ERM) for Insurers on 2 April 2013. This notice, which has taken effect from 1 January 2014, introduces both mandatory and non-mandatory requirements for all licensed insurers operating in Singapore, except for captives and marine mutual insurers.
Some of the mandatory requirements include the need to establish an ERM framework, putting in place risk identification and measurement processes, instituting and maintaining a risk management policy and risk tolerance statement, establishing a feedback loop and performing an Own Risk and Solvency Assessment (ORSA) annually. These requirements, aimed at raising the risk management bar within the Singapore insurance industry, have generated immense interest and momentum among industry players.
C-suite executives are kept awake by several key implementation issues, based on the discussions that were generated at a recent Chief Risk Officer (CRO) roundtable that EY organised for life and general insurance companies.
Scanning the landscape
One of the concerns that weigh heavy on the minds of the C-suite executive is the “fear of the unknown”. Without a better way to manage this fear, some insurers find themselves frantically scanning the landscape in which they operate their business to end up with hundreds of individual risks that prove to be unwieldy to track and manage. A pragmatic and effective approach is therefore essential for every organisation, regardless of its size and complexity.
At the corporate level, the insurers represented at the roundtable typically tracked up to 20 key risks in their risk identification. Key risk categories were broadly aligned to the six risk categories set forth in the MAS Notice 126, namely insurance risk, market risk, credit risk, operational risk and liquidity risk. Some insurers have taken proactive steps to include legal, regulatory and reputational risks, given the rapid regulatory developments and increased financial literacy among consumers in recent years.
Another positive trend is that several insurers have started to engage their key stakeholders in regular interactive risk conversations using a combination of top-down and bottom-up approaches. Identified risks are prioritised based on their materiality, with resources being dedicated to manage them against internal risk appetites.
Managing the unknown
A challenge raised by some industry representatives was the lack of credible historical experience and well-established toolkits to quantify the severity of certain identified risks. For instance, operational risk and regulatory risk are notoriously difficult to measure and quantification approaches continue to evolve globally.
In the UK, the Association of British Insurers (ABI) collects extensive industry data across the British insurance industry. However, this has yet to be norm in Asia including Singapore. To bridge this gap, some insurers have begun to use qualitative assessments via techniques such as hypothetical scenario testing, risk scoring and Risk and Control Self Assessments (RCSA) to size up their risk exposures.
The MAS, in its Risk-based Capital Framework Review (RBC2) consultation, has sought the industry’s feedback on the type of data that the industry should be collecting to build up sufficient data to quantify operational risk. It may well be the case that the industry does not need to wait for long before progress is made to establish an industry-wide operational loss database.
Going the extra mile
MAS Notice 126 also highlights the adoption of economic capital, which is the amount of capital that an insurer needs to satisfy its risk tolerance and new business plans. This goes beyond the existing regulatory capital requirements that insurers need to set aside.
The MAS has clarified its stance that the establishment of economic capital models is entirely at the discretion of insurers, provided that the insurers are aware of all the relevant and material risks that they face. The MAS will neither evaluate insurers’ economic capital models in the meantime nor accept economic capital in lieu of regulatory capital requirements.
Most of the insurers at the roundtable recognised and appreciated the importance of economic capital models to support their risk management activities. However, some insurers, in particular those with smaller-scale operations such as insurance branches or new start-ups, are not ready to develop their own economic capital models due to resource limitations or the lack of support from their headquarters.
Others have expressed significant challenges in securing management buy-in to implement economic capital measures and practical difficulties in explaining these measures within the organisations. The use of a proxy approach to establish an economic capital estimate appears to be the favoured short-term solution while the insurers gradually develop their internal risk management capabilities over time.
Jumping over the hurdle
By the end of 2014, Tier 1 insurers in Singapore will need to cross the hurdle of producing and submitting their ORSA reports to the MAS. The same will be required of non-Tier 1 insurers by the end of the following year. Although the MAS has spelt out clearly in MAS Notice 126 that each insurer’s Board of Directors and Senior Management take responsibility for the ORSA, it has not specified the appropriate function or person that should own the ORSA report.
Some insurers at the roundtable were of the view that the risk management function mainly acts as a coordinator to put together the ORSA report. However, the report should be jointly owned by the CRO and CFO since the relevant inputs into the report come mainly from the Finance and Actuarial departments. Others believed that the ownership is linked to the way the departments are structured. Some risk management functions, led by the CRO, may be independent of the Finance and Actuarial departments and report in to the CEO. In such cases, the CRO might well be the rightful owner of the ORSA report.
Regardless who the final owner of the ORSA report may be, the essence is to build up the internal risk culture and harness the ORSA report in managing the business. The challenge for insurers in 2014 is to look beyond the trees and find a way to make ORSA a useful addition to the myriad of processes that are already running within the organisations.
Mr Russel Lok is an Advisory Partner and Ms Esther Huang is an Advisory Manager, both at EY in Singapore.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organisation cannot accept responsibility for loss to any person relying on this article.