Target Markets: Enterprise Risk Management for Insurance

If you look at the current landscape, the market is evolving so quickly, regulators are more concerned about risk than ever and the consequences of not managing risk are much more intense than previous year. Gone are the days of slaps on the wrist, your company may be facing much heavier fines and regulatory scrutiny than ever before. It's no longer enough to say "I have it documented". Regulators are looking to see if you're thinking about the risk, managing it properly, and have a plan in place in case the risk goes bad.

The first step is picking a modern ERM system, not an excel spreadsheet or old fashioned risk register. These items are static, so when risk appetite or controls change, they are not easily updated and unable to provide a full view of the enterprise's current risk profile. However, ERM cannot become just an IT project - it has to be a part of the DNA of an organization.

Gary recommends starting with just a few categories of risk, then adding from there. Start identifying, monitoring, and measuring 1-2 risk categories, within 3-4 months, you can understand a lot, if not all, of the needs for the 1-2 risk categories. It becomes a replicable process, so you don't need to spend significant time going forward. After spending 3-4 months, identifying, monitoring, and measuring these few risk categories, you should be able to explain your companies risk progress, goals, and evolution. By adding 1-2 categories each quarter, you'll build a full ERM model that only requires maintenance and provides an extensive view of your company's risk. Click the button below to watch to full interview on TargetMarkets.com

 This is another installment in the series of articles which address the “Current State of Enterprise Risk Management in American Companies.” It leverages findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive conducted by the AICPA in conjunction with NC State University: “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition”, and can be found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

Enterprise Risk Management is a set of processes, policies, and staff that has the potential to help companies avoid both routine pitfalls and more importantly, existential crises.  It also helps companies meet their strategic goals and avoid the humiliation of yet another quarter or year of falling short of the Board’s expectations.  Despite this potentially critical role within a company, ERM is often given short shrift, especially when it comes to prestige, funding, and necessary tools.

This article addresses this apparent paradox, and offers some suggestions for improving ERM so that Senior Management and the Board Risk Committee can finally get a good night’s rest.

If the reasons for having rock-solid ERM structures and processes in place are so compelling (and what could be more compelling than saving your company from ruin?), then why do only ~ 1/3 of companies have end-to-end ERM processes or feel that their ERM processes are mature? (1).

The AICPA / NC State survey highlighted a number of excuses that Senior Management employs when justifying decisions not to fund / staff ERM upgrade efforts.  The chart below summarizes the  reasons given and their relative frequency. 

 Addressing this cluster would require ERM management to lay out a future-state vision for the function and mobilize internal resources.  We laid out these steps in a previous article. (2)  This appears absent, however, since Senior Management is not animated.  Beliefs such as “we’re using other methods” and “I don’t see a clear ROI for this function” suggests there is nothing animating the C-suite to change the status quo:  

B. “We’re Already On It…” – 29%

• “Other methods for Monitoring” (besides ERM) 24% (1)
• Would overcomplicate what can be best done ad hoc 5% (1)

Yesterday’s news and performance may have been ok.  However, complacency is usually not a solid foundation for most businesses or business functions, and sooner or later, especially in today’s environment, threats are bound to present themselves.  And giving the answer of “we just weren’t as vigilant as we thought” will not suffice.

C. “We’re too busy fighting fires” – 24%

• Too many other pressing needs 24% (1)

This one has just a touch of irony, as it’s akin to a homeowner saying, “we’re too busy to install smoke detectors” or “they’re too expensive,” but in the meantime have had three minor brush fires in their yard, due to three different causes.  When will the big one hit?  You don’t know, but you don’t want to find out, either.

D. “Show Me the Money” – 12%

• “Do not see benefits exceeding costs” (12%) (1)

At first glance, this argument appears sound, as ERM does not have a clear ROI, unless one is sure that a certain risk(s) would manifest, at a known dollar magnitude, in a given time frame, and the ERM system would have definitely detected it and enabled mitigation.  That scenario would have clear, hard-dollar returns.  

But that scenario doesn’t “exist in nature.”  Most of ERM’s benefits are of the soft-dollar variety, i.e., Cost Avoidance, reduction in time and effort for risk reporting and remediation, satisfying key stakeholders such as the Board, Ratings Agencies, Regulators, etc.  The good news here is that this reason wasn’t cited more often.

Everyone has heard the quote from Isaac Newton that “an object at rest tends to stay at rest” which implies that you have to apply a force to that object to get it moving.  And Enterprise Risk Management processes and organizations which have been “stuck in neutral” for a while likewise need some force applied.  Here are some ideas / messages that can get an organization moving:

1. A leader must emerge to knock over the impediments:  An ERM champion must begin the process of knocking down the impediments detailed above, using facts and exercising influence.  It won’t be easy, but this is a case of getting people to do what they know they should do.
2. The Journey of a Thousand Miles Begins with the First Step:  There are other clichés about eating elephants, but the fact is that Senior Management must be convinced that this can be approached as a series of small and manageable efforts, and not a single herculean task.
3. Prioritize based on Need / Bang for the Buck / Likelihood of Success:  A company may look at the People / Process / Technology framework for selecting ERM improvement efforts.  However, to make the best decisions on how to spend company money and focus, it would be best if the working team considered the following when making their selections:
   • Culture:  Build an inclusive function where Risk Management is part of everyone’s job.  ERM managers need to involve the first and second lines of defense with thought leadership, accountability, and ongoing participation and leadership.  New technologies now enable this much better and are currently being overlooked.
   • Need:  Which areas of Risk Management have been problems over the past several years, and more importantly, which areas have been under the Management / Board microscope because they’ve been problems?  This will provide you with a good starting point.
   • “Bang for the Buck”:  This is where the Cost/Benefit argument is to be made.  Each of the potential efforts should be costed out and presented side-by-side with the benefits delivered.  The visibility of these improvements should also be considered, as benefits not noticed “didn’t happen,” at least in the context of company management.
   • Likelihood of Success:  This is where the organization must be brutally honest about its resources, culture and organizational will.  Change efforts need quick and successful outcomes to create momentum, and build rank and file enthusiasm for a new risk culture. Start slow and ensure that you don’t over-promise and under-deliver.

1. Don’t be afraid to ask for help:  In the 21st century, most companies don’t have available bandwidth “just sitting on the bench, waiting to be put in the game,” especially for projects requiring specialized expertise.  If the company needs help with making the business case, structuring and managing the project, and rolling it out to the rank and file, it should avail itself of those kinds of help. 

The year is still young – there is still ample time to make some changes that move the needle in ‘24.  All you’ve got to do is start the ball rolling.

Learn more here: https://www.srawatchtower.com/post/improve-your-enterprise-risk-management-capabilities-in-6-months-or-less-even-if-your-people-are-busy

‍

Sources:

(1) 2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 14th Edition

(2) https://www.srawatchtower.com/post/are-risk-managers-at-risk-a-7-step-action-plan-to-save-your-company-and-secure-your-job

 “Grade your own paper” before the Regulators do it for you with an Enterprise Risk Management Maturity Assessment

Insurance companies can easily become complacent or narrow-minded when it comes to their ERM capabilities. They may adopt a "nothing bad has happened yet" approach to risk management or focus only on areas of obvious strength and familiarity. This can lead to the belief that their organization excels in ERM or lacks any significant weaknesses, which may actually be true. However, it is far more beneficial to have concrete knowledge rather than assumptions. It is important to identify areas that require attention and determine the extent of that attention needed.

The most effective way to gain this knowledge is by conducting a structured review using an Enterprise Risk Management Maturity Framework that encompasses the key Pillars of Risk Management Maturity. Below we share some best practices for insurance companies trying to mature their risk management program and why it's sometimes better to “Grade your own paper” before the Regulators do it for you.

A big part of gauging a company’s current level of risk maturity is understanding its Risk Culture. This cuts across numerous risk management capability areas or “Pillars.” The Risk Culture is invariably a reflection of Senior Management’s actions, communications, and “tone” regarding risk. It’s all about values, and the rank and file must see Management “walking the walk.”

Quite simply, an organization lacks true Enterprise Risk Management maturity unless it has trained Risk Management professionals who have the ear of both Senior Management and the operating units. These professionals would know how to evaluate risks in terms of severity, likelihood, time horizon, correlation with other risks, etc. A company with a solid risk culture is also one where everyone in the organization is aligned around the company’s defined risk/reward tradeoffs, understands the company’s desired risk posture, and understands how its day-to-day actions and decisions affect this risk posture.

Calibrating your Risk Management Maturity is essential for identifying gaps, assessing current effectiveness, and prioritizing improvement efforts. But where do you begin?

For one, there are several frameworks that a company can turn to for an assessment, and you can opt for either do-it-yourself approaches or assistance from a third party. For instance, COSO and ISO both have frameworks for Enterprise Risk Management that can be adapted for looking at Risk Maturity. But adapting these frameworks for ERM Maturity Assessments in the financial services space takes some doing – how do you know if your first attempt will stand the test of time, i.e., what’s the maturity of your Maturity Assessment?

SRA Watchtower has already done the heavy lifting and developed a configurable Insurance Risk Maturity Framework that has been tried and tested multiple times across numerous organizations. Moreover, it’s compatible with the COSO and other recognized ERM Frameworks. Regardless of approach, the key is to get an honest, unvarnished assessment on where you are today, determine gaps that you must address, and prioritize those which will yield the “biggest bang for your improvement dollar.”

A Risk Maturity Assessment has numerous benefits for an insurance company. In the initial phases of the process, it requires Senior Management and the Board both to clarify their risk priorities and create meaningful metrics and action plans. The process also provides useful material for discussions with Regulators and/or Ratings Agencies. If these entities point out risks/risk categories that need attention, the Risk Maturity Assessment and the prioritized list of improvement actions can go a long way toward convincing the relevant parties that risks are either under control or mitigation is in process, i.e., no surprises.

Finally, the Risk Maturity Assessment can form the basis of a 2–3-year improvement roadmap. This roadmap “begins with the end in mind” starting with Management’s and the Board’s vision of ideal end-state capabilities and lays out the tools and skills required to get there. This not only enhances the odds of a successful outcome, but also goes a long way toward building a risk culture.

To recap, in our experience working with clients, a Risk Maturity Assessment is a critical first step on the journey to superior Enterprise Risk Management. This journey takes a company from a backward looking “what happened here and why didn’t we have the insight or time to act more effectively?” to a forward-looking “we’re watching things way before they become real threats.”  In other words, “ERM, Evolved.”

Insurance is an industry that, due to its nature of collecting and paying out large sums of money, is prone to both external and internal fraud.  External fraud can be committed by service providers (auto body shops, contractors, physicians, diagnostic clinics, etc.), and internal fraud can be committed by employees, both by themselves, as well as in concert with parties outside of the company.  

The scale of fraud in the insurance industry is vast: according to the FBI, the cost of fraud (non-health insurance), is estimated at >$40B. Not surprisingly, Claims are especially vulnerable to fraud, and fraud accounted for between 15 and 17 percent of total claims payments for auto insurance bodily injury in 2012, according to an Insurance Research Council (IRC) study. The study estimated that between $5.6 billion and $7.7 billion was fraudulently added to paid claims for auto insurance bodily injury payments in 2012, compared with a range of $4.3 billion to $5.8 billion in 2002. (1) Regarding general employee fraud, a 2018 study showed that employee fraud accounted for more than $7 billion in total losses, at a median loss of $130,000 per case, with 22 percent of cases causing losses of more than $1 million each. (2)

And, the fraud problem is getting worse.  In 2019, the Coalition Against Insurance Fraud and the SAS Institute published a report entitled, “State of Insurance Fraud Technology.” The study was based on an online survey of 84 mostly property/casualty insurers conducted in late 2018. Nearly three-quarters of the survey participants said that fraud has increased either slightly or significantly in the past three years, an 11-point increase since 2014. No insurer has said that fraud has decreased significantly in the last six years. (3)

Given that this problem has real scale, let’s explore how employees at Insurance companies commit fraud and what companies can do to both prevent it and detect it.

Just as external fraud can be committed at each of the insurance process steps such as Producing, Marketing, Underwriting, Filing Claims and Paying Claims, among others, there can be internal involvement in the fraudulent activities at each of those process steps as well.

A key type of insurance fraud that Producers commit is Premium Diversion, and there are two broad categories of this type of activity.  There are the cases where agents or brokers “sell” insurance, collect premiums, but don’t remit them to their affiliated insurance company. In these cases, either policies are not issued, or coverage is dropped.  There are also cases where fraudulent “agents or brokers,” who represent fraudulent agencies, sell insurance to unwitting customers. They issue bogus policies or never intend to pay a claim, and these unfortunate customers are out in the cold after an event and out of pocket for the premiums they have submitted. These are clearly some of the most egregious frauds that are associated with the Insurance industry.

Sources: thestreet.com: Insurance Fraud; 8 kinds of employee fraud and how to prevent it. By Marlene Satter | August 12, 2019 

Most of these types of fraud, especially ones committed by employees, are often the result of several fundamental motivations:

1.    Employee feels stressed / desperate

2.   Employee feels wronged / neglected

3.   Employee has access to valuable assets

Or, to go back to Criminal Justice 101 – Means, Motive and Opportunity. And let’s not forget that they also believe that they can getaway with it, because they have knowledge of the business processes upon which they commit the fraud. Given how often employees do getaway with it, and for how long they make these frauds last, they’re not altogether wrong.

Most of these types of fraud, especially ones committed by employees, are often the result of several fundamental motivations:

1.    Employee feels stressed / desperate

2.   Employee feels wronged / neglected

3.   Employee has access to valuable assets

Or, to go back to Criminal Justice 101 – Means, Motive and Opportunity. And let’s not forget that they also believe that they can getaway with it, because they have knowledge of the business processes upon which they commit the fraud. Given how often employees do getaway with it, and for how long they make these frauds last, they’re not altogether wrong.

Most of these types of fraud, especially ones committed by employees, are often the result of several fundamental motivations:

1.    Employee feels stressed / desperate

2.   Employee feels wronged / neglected

3.   Employee has access to valuable assets

Or, to go back to Criminal Justice 101 – Means, Motive and Opportunity. And let’s not forget that they also believe that they can getaway with it, because they have knowledge of the business processes upon which they commit the fraud. Given how often employees do getaway with it, and for how long they make these frauds last, they’re not altogether wrong.

Although there are many reasons that employees are tempted to take the plunge into committing fraud, they usually involve some combination of those shown below, and sometimes it can be a push-pull effect. For instance, if an employee is feeling slighted / under-appreciated, and/or has an overbearing boss, these factors, when combined with great growth / financial results, might lead a person to try to “get what they think is rightfully theirs.”  This is just one combination of the environmental and cognitive factors that go into this unfortunate choice that some employees make.

Regarding prevention, of course you should have a company culture that not only stresses honesty and integrity, but also lives those values and provides solid examples. The company should also have basic fraud detection training, similar to that which is now happening in the Cyber security realm. At the very least, the company should conduct training for the 20% of the functional areas which usually account for the 80%+ of fraudulent activity (if Pareto holds true for Employee Fraud, which one would expect). This training would include, first, a powerful “why” – why employee fraud that hurts the company also hurts employees downstream. Then, employees should be trained in how fraud happens, how to recognize it, and how they can provide tips to the company to help stop it.

Tips from employees are often the way that fraud is first discovered. In fact, according to the Association of Certified Fraud Examiners (ACFE) 2018 Report to the Nations, employee tips account for 40% of all fraud cases being detected. Of this 40%, 53% of tips are from employees of the victim organization, 32% are from individuals outside of the organization such as customers, vendors and competitors, and the remaining 15% of tips are from anonymous whistleblowers. (4)

You should also have business processes and signals in place that demonstrate to employees that someone is “watching the store.”  You don’t need to have “in your face, all the time” demonstrations of surveillance, as that can affect morale negatively, but there should be visible indicators that the company takes governance and good behavior seriously, and that it does not rely merely on “scout’s honor.”  Somewhere between “unconditional trust” and a “police state” lies the right answer, and the good news is that there is a lot of playing field in the middle that is acceptable to both employer and employee.

However, prevention is not a “silver bullet,” and thus detection is also needed. The basics of detection would include solid accounting systems with people tasked with looking for unusual cash flows, changes in cash flows, expense categories that, as a per cent of total expenses or revenues, are unexpectedly high, etc. The first step is to determine if fraud is happening, and the magnitude of the problem. If you determine that it’s happening, then you must figure out the where, the how and the who.

To ensure that the company becomes aware of fraudulent activity, it should develop Key Risk Indicators (KRIs) for fraudulent activity and assign Responsible Parties for gathering the data inputs and monitoring either changes or sustained troubling scores for the indicators. These indicators should be visible not just to the Responsible Parties, but also to Senior Management, Department Heads, etc. These fraud KRIs should be fed into an Enterprise Risk Management system, considered part of Operational Risk, and be reported to Senior Management on a regular basis.  This type of visibility negates the excuse of “gee, I wasn’t really watching that.”

Additionally, there should be clear escalation paths for these instances, as well as protocols for confidentiality, as the downside risk of employees who are wrongly accused is steep for all parties involved, but clearly more so for some than others.

AI and Predictive Analytics can help you understand which employees are most likely committing fraud, based on a number of behavioral measurements and observations.  People who are in debt, living beyond their means, going through difficult / uncertain times, both personal and professional, are more likely to do things that “they otherwise wouldn’t do,” and behave in ways that are unusual. These behaviors might involve changing work schedules, taking on or sloughing off certain work duties, not taking vacations, etc. Making use of tools and analyses that can help you distinguish between employees with suspicious behaviors from those without them can be a big help in identifying the sources of fraud.