The Intersection of Risk Management and Corporate Governance
By Carol S. Stern, B.A., FLMI, AIRC, ACS
& C. J. Rathbun, BFA, CCEP, FLMI, HIA, AIRC, ACS
Senior Consultants, First Consulting & Administration, Inc.
With the adoption of the National Association of Insurance Commissioners (NAIC) Corporate Governance Annual Disclosure Act (CGAD) and supporting Model Regulation, the U.S. insurance world has taken a giant step toward the creation of Corporate Governance (CG) infrastructure that closely resembles the European model and related Solvency II requirements. The underlying theme of these new models is evident with the adoption, first, of the Own Risk and Solvency Model Act (ORSA) and now, the CGAD. Enterprise Risk Management (ERM) must be integrated into each insurance company’s corporate governance framework. This intersection was clearly in the minds of the NAIC, since both models have exactly the same CG requirements. As of August 17, 2015, five states (CA, IA, IN, LA, VT) have adopted these two models and Rhode Island has proposed legislation to adopt the models. The NAIC anticipates adoption by the majority of state legislatures over the next two years.
The risk management oversight required by these models is explicit. They specify clearly defined roles and responsibilities for directors and senior management, as well as requiring a robust risk committee structure. Implementation of this framework can give an insurance company effective governance tools for addressing both quantitative risk (e.g., financial, investment, actuarial, market) and qualitative risk (e.g., strategic, compliance, operational, reputational).
Because of the importance of risk management to the solvency management of the insurer, the NAIC models elevate risk management to be an integral component of any effective CG program. The oversight responsibility of the Board includes assuring a vibrant compliance tone at the top, transparently laid out by the company’s Code of Conduct, risk policy and risk appetite. The Board does not, however, usurp any of the day-to-day duties of the senior executive management team to continually assess, monitor, prioritize, mitigate and report on the company’s “material and relevant risks.”
The new CGAD model act and regulation will require companies of all sizes and structures to tighten their governance structures and practices. Companies must document these changes with updated by-laws, charters, policies and procedures. Documentation will help regulators be assured that the Board of Directors and any of the Board committees have been formally assigned, and have formally accepted, the ultimate responsibility for governing the insurer. An annual filing is required to document how the company CG framework delivers appropriate leadership, including documentation of the activities wherein the duty of care by the Board of Directors and Chief Executive Officer (CEO) is demonstrated. The NAIC models require a governance structure that expects the Board and key executives to act in good faith and in a manner the Board of Directors reasonably believes to be in the best interests of the company. On an individual basis, each of the Directors is responsible to not only act in good faith, but must be willing to challenge any acts that are not performed in good faith. They must accept a duty to act in the best interest of all stakeholders including the public, company policy-holders, vendors, third parties, agents/producers, employees and the managers of the company. They report directly to the higher authority of shareholders or other owners, and of course to the regulators of the states where the company does business. One of the requirements of these new laws is to perform an annual evaluation of the CEO and other members of senior management that includes an assessment of the fulfillment, or lack thereof, of their own responsibilities and a truthful evaluation of the adequacy, expertise and actions of the Board as a whole.
What are the responsibilities of the Board, senior management and its committees regarding risk oversight?
The models specifically highlight the following duties for the Board:
Assuring compensation programs do not encourage and/or reward excessive risk taking, while also facilitating company growth by incorporating measured strategic risks.
Staying informed about the company’s strategic plans, the associated risks and the steps that Senior Management is taking to monitor and manage those risks.
Reviewing updates on each critical risk area as frequently as necessary to stay abreast of existing, new and emerging risks.
Section E of the CG Model Regulation requires that the insurer describe in the narrative of its annual disclosure, “the processes by which the Board, its committees and Senior Management ensure an appropriate amount of oversight to the critical risk areas impacting the insurer’s business activities.” Critical risk areas are defined as:
a. Risk management processes (A company that files an ORSA Summary Report may refer to that report as part of its narrative);
b. Actuarial functions;
c. Investment decision-making processes;
d. Reinsurance decision-making processes;
e. Business strategy/finance decision-making processes;
f. Compliance functions;
g. Financial reporting/internal auditing; and,
h. Market conduct decision-making processes.
Market conduct examinations have long been looked upon as a way for regulators to determine whether or not the insurance companies under their purview were in compliance with state laws. While exams are still done for that reason, regulators have had few ways to keep their finger on the governance reality of companies between examination events, particularly during governance changes that can have a substantial impact on current and prospective solvency. The CG report will help bridge the gap for regulators, to reach a more consistent comfort level that they are, indeed, helping protect consumers in their care from insurance bad actors.
In this light, regulators anticipate the members of the Board will be well-informed about market conduct activities and examination findings, along with the steps company leaders are taking to address the regulatory concerns. States who pass the CG laws will expect the Board members to recognize their accountability for results of exams and responses to exams.
The Intersection of Risk Management and Corporate Governance
When we step back and remember that these are regulations about the unambiguous reporting on an insurance company’s CG framework, we can more fully appreciate the NAIC’s conscious decision to emphasize ERM. The deliberate intersection of risk management and CG was created in these NAIC models to allow regulatory scrutiny of solvency issues within one unified framework. This means companies of all sizes will need to create a governance structure that imbeds risk management oversight, even if they are below the threshold for filing the ORSA Report.
Even small companies will be able to meet this challenge in part by implementing new CG Guidelines, selection criteria for Board members, position descriptions for key Board members and senior executives, and charters for committees like the Corporate Governance Committee or the Audit, Risk and Compliance Committee. Implementing these changes in a small company may take guidance and assistance from outside consultants, but it will give companies the added benefit of imbedding an ERM framework into their governance structure. Because the new NAIC models tie ERM, ORSA and CG together into one holistic approach, the resulting framework will differ for a small company, and the impact may be felt even more strongly.
The importance of moving toward these new requirements should not be underestimated, since the changes in any company will take time and resources. The NAIC's adoption of CGAD gives a proposed effective date of June, 2016. This 10 month window does not seem particularly generous, knowing the amount of hard work that can go into these wholesale shifts. Changes to governance structures, policies, procedures and Board of Director membership require thoughtful planning and time to complete.
A far-reaching benefit for all companies will be the development of a working model which brings risk management into the same Board room with strategic planning, so that risk costs are moderated by controls costs, and the resulting, effective governance will strengthen the core of the insurance industry in the U.S. These governance activities will help align the U.S. financial services industry with the standards of the existing European models, which require stronger solvency requirements in related economies world-wide.
 Insurers with $500 million in annual premiums or higher will likely file annual ORSA Reports beginning in 2015.