Compliance Risk is a risk that the Company’s actions or inactions might result into potential regulatory interventions or regulatory actions, which could adversely affect the Company’s reputation. This one of the important risks in Insurance Sector. The Regulator of Insurance IRDAI has penalised many Insurance Companies, Insurance Intermediaries, TPAs, Insurance Brokers etc., for non-compliance and non-fulfilment of regulatory requirements. In some cases, IRDAI refused to renew licenses given or revoked license of an Insurance Company on the basis of non-compliance.
Generally, penalty orders are published in news papers and shown on the website of the Authority this will lead to damage of reputation of the Company in the market, which will also dent trust of market as well as prospects and policyholders of the Insurance Company.
Compliance Risk Management aims to proactively identify the compliance risks by respective functional units, identifying the current controls and taking corrective actions to mitigate the Compliance Risks.
It is duty of Chief Compliance Officer to put in place a framework for identification and mitigation of Compliance Risks.
PLEASE NOTE that compliance of various regulatory rules and guidelines are the duty of functional heads of Insurance Company and not Chief Compliance Officer. Thus, it is clear that the Compliance Risks Management process is owned by respective functional units and Chief Compliance Officer will facilitates them in compliance.
AN EFFECTIVE COMPLIANCE RISK MANAGEMENT PROCESS INVOLVES THE FOLLOWING STEPS;
|(1) Identification of Potential Compliance Risks;
(2) Rating of Risks;
(3) Current Control in Place and evaluation of adequacy of Current Control;
(4) Identification of new actions required to mitigate the risks;
(5) Projected risk rating after implementation of new actionable;
(6) Presentation of Compliance Risk Registers;
(7) Followup review meetings with risk owners and actionable owners;
(8) Discussion with EXCOM on the Compliance Risk Management Program.
LET’S DISCUSS POINT WISE
1. IDENTIFICATION OF POTENTIAL COMPLIANCE RISKS;
First, we need to have clear understanding of various regulations, circulars and guidelines issued by the Authority and applicable to your Company. The Compliance Officer discusses the compliances required for various processes within the function with the concerned functional head and assist the functional head in identification of the potential gap. It is to be noted that for operational compliances, it is the functional head who is the best aware of the potential gaps and the possible exposure to the compliance risk.
Let’s consider an example, we know that Regulatory TAT for issuance of an insurance policy if 15 or 30 days from the date of receipt of proposal form by an insurance company. Now the functional head of Operations Department is COO and he is the best person, who knows how many instances company has breached regulatory TAT and he will come with solutions and actions to reduce TAT breaching and ensure compliance with regulatory TAT.
NOTE: All Compliance Risks must have a risk owner. There will be only one risk owner for one compliance risk.
2. RATING OF THE RISKS;
Risk Rating – is the exercise of assigning a rating to understand the seriousness of the risks. In an insurance company there could be many risks, which need to be managed including Compliance Risks. But it is important first to prioritise and focus the attention of the management on risks on those, which deserves priority.
Rating a risk helps understanding the gravity of the risks and decide on those which management wants to focus first.
Once Compliance Gaps are identified, the nest steps would be to prioritise the risk based on below mentioned two parameters;
i) Probability of Occurrence of the risk;
ii) Consequences if risk occurs.
This would help us identifying the risks which needs to be focused first.
3. CURRENT CONTROL IN PLACE AND EVOLUATION OF ADEQUACY OF CURRENT CONTROL;
Now after identification or gaps and rating of risks, next step is to identify Current Controls in place in the organisation and its adequacy to check and mitigate Compliance Risks. Taking stocks of these controls is intended to decide what are the additional controls which are feasible and essential to eliminate or mitigate the risks.
Let’s consider suppose, the risk of increasing number of customers complaints or grievances on misselling reported to the Regulator. This would be in high-risk category. Now it is imperative to first identify what measures the company has in place to avoid increasing number of complaints.
We have to check at the point of sale what kind of controls are in place to avoid misselling, like benefits illustrations signed by customer, product brochures containing details product features given to the customers etc.
The next step would be to check if there is any finetuning required to be existing controls or any measures to control the compliance risk.
4. IDENTIFICATION OF NEW ACTIONS REQUIRED TO MITIGATE RISKS
Now identifying new actionables is next logical step to mitigate or eliminate risks. The Chief Compliance Officer must assist the COO in identifying the additional steps required.
Root Cause Analysis is an important process at this stage. For example, if customer understanding is the core issue of misselling, can the COO consider a verification mechanism to confirm if customer understood the essential features of the product, he or she is purchasing. The probable new action here be identified as “Customer Verification”, either in person or through phone call, depending on the size of the case.
NOTE: New set of actions must be clear and specific (no mother hood statements allowed) and will have a deadline and name of person responsible for taking action. There could be multiple persons involving multiple actions.
5. PROJECTED RISK RATING AFTER IMPLEMENTATION OF NEW ACTIONABLES;
This is expected risk rating after all the actionable identified are implemented. This gives the target to be achieved and is a useful guide for the risk owner.
6. PREPARATION OF COMPLIANCE RISK REGISTERS;
A Compliance Risk Register needs to be prepared giving all the above information properly documented and signed of by the respective owner. This becomes the “Mother Document “, for future reference.
|Risk Registers are prepared for each and every risk. The register typically contains the following information;
Definition of Risk- this definition must be something like a Headline in the newspaper. it gives a summary of the risk in 2 or 3 lines. It must be clearly what the risk is and what it could lead to or result into.
Example- the definition of risk of earthquake could be as follows;
“Risk that”, the earthquake occurs in Bay of Bengal leading to Tsumani in East Indian Coast, resulting into mass destruction of lives and catastrophic claims to the Company”.
(a) Owner of risk-normally there can be only one owner;
(b) Current rating of risk based on two parameters given above;
(c) Current controls in place- this section lists down the current control measures already up and running to maintain risk at the current rating;
(d) Actionable identified to be performed by various functions to mitigate the risk or in an extreme scenario, for justified business reasons, to live with the risk.
(e) Name of the person responsible for taking actions- it could be the owner of the risk;
(f) Estimated risk rating -assuming that actionables are implemented on time. This rating should normally be lesser than the risk rating before the actionables were taken.
7. FOLLOWUP REVIEW MEETINGS WITH RISK OWNER AND ACTIONABLES OWNER;
KEY RISK REPORT- is the aggregation of the risk register for the key risks identified by the management and is prepared to evaluate and discuss the Company’s Key risks from time to time. Monitoring of key risks report is performed on an at least quarterly basis by the management with the assistance from Risk Management Function. Further Key Risks Report is also discussed at the management and Board level Risk Committees.
The most important step in the Compliance Risk Management process, is the fallow up meeting, at least once a quarter with the risk owner and the actionable owner together to review progress, find out the reasons for sluggishness in progress, if any, and removing the blocks in progress with the help of EXCOM members (Management Committee comprising of all direct reportees to CEO).
A follow up review meeting may sometimes reveal that the action identified might have to be modified, dropped or new action identified, due to change in circumstances. While such changes are acceptable, there cannot be significant changes to the actions identified. It only denotes that the initial exercise of identifying the actions was not properly done. Further, it results in avoidable wastage of time and efforts.
8. DISCUSSION WITH EXCOM ON COMPLIANCE RISK MANAGEMENT PROGRAM;
Compliance Risk Registers must be presented to the EXCOM by the Chief Compliance Officer for their review and advice. This exercise must be done at least once every half year. Any instructions given by EXCOM must be implemented by the Chief Compliance Officer.
Reporting these risks ensures that Senior Management receive the necessary information required to perform their oversite function and to make timely and effective decisions.
CONCLUSION: Since the concept of insurance is based on the concept of pooling of risks of many to pay the claims of few insured, who has suffered insured loss and in other words we can say that the concept of insurance involves a transfer of risk from one party, such as an individual or company buying an insurance policy, to another, such as an insurance company. Insurance companies themselves are prone to many risks in running the insurance business and need to take steps to eliminate or mitigate these risks. There may be various types of risks an insurance company is facing such as Financial Risk, Reputational Risk, Compliance Risk, Legal Compliance Risk etc. The Compliance Risk is the most important risk factor for insurance companies. The Regulator has issued various rules, regulations, guidelines and from time-to-time Circulars and any non-compliance with these will lead to reputational, financial risk to an Insurance Company. In some cases, IRDAI may refuse to renew license or cancel license of insurance company in case of non-compliance. Unless insurance companies manage their risks, they will not be in a position to effectively deliver their values to the customer and stay afloat in the business to achieve their goals.
DISCLAIMER; The entire contents of this document have been prepared on the basis of relevant provisions and as per the information existing at the time of the preparation. Although care has been taken to ensure the accuracy, completeness, and reliability of the information provided, author assume no responsibility, therefore. Users of this information are expected to refer to the relevant existing provisions of applicable Laws and take appropriate advice of consultants. The user of the information agrees that the information is not professional advice and is subject to change without notice. Author assume no responsibility for the consequences of the use of such information.