RISK MANAGEMENT FOR PRIVATE HEALTH INSURERS. Consultation Paper. January 2013

Transcription

1 RISK MANAGEMENT FOR PRIVATE HEALTH INSURERS January 2013 Consultation Paper Disclaimer This is a discussion paper whose purpose is to stimulate discussion, debate and feedback to the Private Health Insurance Administration Council. The Private Health Insurance Administration Council disclaims any liability for any loss or damage arising out of any use of this paper. The Private Health Insurance Administration Council encourages private health 1 1. Submissions and Enquiries PHIAC insurers to seek independent advice and to exercise care in relation to any material contained in this paper.

2 1. Submissions and Enquiries The Private Health Insurance Administration Council (PHIAC) invites submission on the contents and the potential regulatory impact of this discussion paper. Submissions and enquiries may be directed to: General Manager, Industry Operations Private Health Insurance Administration Council PO Box 4549 KINGSTON 2604 (02) 6215 phiac@phiac.gov.au Important Submissions should be in writing provided to PHIAC by Friday, 15 March Submissions may also be the subject of a request for access made under the Freedom of Information Act 1982 (FOI Act). PHIAC will determine such requests, if any, in accordance with the provisions of the FOI Act. Accessing this paper online This report, together with further information about PHIAC and the private health insurance industry can be accessed from PHIAC s website Use of this Paper While PHIAC endeavours to ensure the quality of this publication, it does not accept any responsibility for the accuracy, completeness or currency of the material included in this publication and will not be liable for any loss or damage arising out of any use of, or reliance on, this publication. This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence, with the exception of the Commonwealth Coat of Arms, photographs, images, signatures and where otherwise stated. The full licence terms are available from Submissions and Enquiries PHIAC

3 Use of PHIAC material under a Creative Commons Attribution 3.0 Australia licence requires you to attribute the work (but not in a way that suggests that the PHIAC endorses you or your use of the work). PHIAC material used as supplied Provided you have not modified or transformed PHIAC material in any way including, for example, by changing the text; calculating percentage changes; graphing or charting data; or deriving new statistics from published PHIAC statistics then the PHIAC prefers the following attribution: Source: Private Health Insurance Administration Council Derivative material If you have modified or transformed PHIAC material, or derived new material from those of PHIAC in any way, then PHIAC prefers the following attribution: Based on Private Health Insurance Administration Council data Use of the Coat of Arms The terms under which the Coat of Arms can be used are set out on the It s an Honour website (see Disclaimer The purpose of this discussion paper is to stimulate discussion, debate and feedback to the PHIAC. It is not a position paper and the information canvassed in it does not constitute recommendations or legal advice. While PHIAC endeavours to ensure the quality of this paper, it does not accept any responsibility for the accuracy, completeness or currency of the material included in this paper, and will not be liable for any loss arising out of any use of, or reliance on, this paper. PHIAC encourages private health insurers to seek independent advice and to exercise care in relation to any material contained in this paper Submissions and Enquiries PHIAC

4 Table of Contents 1. Submissions and Enquiries Risk management and private health insurance Regulatory context Approaches to risk management the current picture Reference points for the current review Options to improve risk management Option 1: Retain status quo: no additional requirements regarding risk management arrangements Option 2: Non-binding risk management guidance material Option 3: Development of a Prudential Standard to require all insurers to adopt effective risk management practices Possible elements of risk management guidance or a prudential standard Assessment of options Invitation to Comment Next steps Abbreviations used in this paper Relevant legislative extracts Submissions and Enquiries PHIAC

5 2. Risk management and private health insurance The private health insurance industry is an enduringly important component of the Australian health system. For over one hundred years it has provided peace of mind through financial support and protection to policy holders and their families when they access health care in Australia. Broad community support for private health insurance (PHI) is borne out by the fact that more than 50% of Australians (in excess of 12.3 million people) currently having some form of health insurance. Recent years have seen the industry move in new directions with more targeted industry advertising, service provision to assist in the management chronic diseases, increased reliance on brokers and the establishment of the government website privatehealth.gov.au. The result has been a wider range of products addressing a more sophisticated array of consumer needs. While these developments have generally been seen as a positive contribution to the private health insurance offering the corollary has been increasing complexity in a product area that is already viewed by many as challenging market research indicates that around half of Australian health decision makers without PHI admitted that they just don t think about it because it s too confusing, 1 while close to 8 in 10 people believe that private health insurance urgently needs to be simplified (IPSOS: 182). The future of PHI in Australia seems set to present further challenges as consumers grapple with ever-increasing choices in a broadening and evolving product set with associated informational, commercial, and risk issues. The Private Health Insurance Administration Council (PHIAC) plays an important role in ensuring the industry remains competitive, efficient and financially sound. We achieve this through an ongoing program of fund reviews, the collection and dissemination of industry statistics, and the provision of advice to government, other regulators and consumers on the state of the industry. PHIAC also plays an important role in ensuring that consumers of PHI are protected. Primarily this is achieved by ensuring the financial soundness of the industry, and through provision of key information 1 IPSOS, Health Care & Insurance Australia, 2011 report, p Risk management and private health insurance PHIAC

6 to assist consumers to make well informed decisions about private health insurance for themselves and their families. These responsibilities are made explicit in the Private Health Insurance Act 2007 (PHI Act) which states that PHIAC should take all reasonable steps to strike an appropriate balance between three sometimes competing objectives, namely: fostering an efficient and competitive health insurance industry; protecting the interests of consumers; and ensuring the prudential safety of individual private health insurers. It is within this context that PHIAC has been reviewing the effectiveness of the risk management practices being used across the Australian private health insurance industry, and discussing potential strategies for strengthening these practices directly with individual insurers. PHIAC s ongoing program of fund reviews continues to highlight variability in the effectiveness of risk management in the industry. This raises a prudential concern which PHIAC must, in the proper discharge of its role, address. This paper has been prepared to generate discussion within the industry about the adequacy of existing risk management practices, to raise awareness of PHIAC s expectations in relation to risk management, and to discuss options to enhance risk management practices across the industry. The paper develops the range of risk management concepts canvassed with the industry at the PHIAC seminars held across Australia in July and August In particular, this paper seeks to advance that discussion by proposing three approaches or options for improving the effectiveness of risk management within private health insurers. Accordingly, the options for discussion are: Option 1: Retain the status quo - no changes to existing arrangements. Option 2: Promulgation of non-binding, quasi-regulatory risk management guidance materials for the industry. Option 3: Development of a Risk Management Prudential Standard to require all insurers to adopt effective risk management practices. PHIAC welcomes feedback on the discussion paper by the industry, consumers and other interested stakeholders. To assist PHIAC s ongoing analysis of the issue, submissions should evaluate the relative merits of each option, and, where practicable, analysis of the potential compliance costs of each proposal Risk management and private health insurance PHIAC

7 Receipt of such contributions will ensure that PHIAC can develop its consideration of this issue with the benefit of feedback which is well-informed, and which improves its capacity to ensure that policy holders are protected without unduly burdening the industry. This paper marks the beginning of at least two rounds of industry consultation. Depending on the level of feedback received, it is envisaged that a second consultation round will occur in mid The second paper will provide feedback on the options canvassed in the first paper and if necessary, additional information to support the consultation process. Comment on this first discussion paper must be received by PHIAC on or before COB Friday 15 March Risk management and private health insurance PHIAC

8 3. Regulatory context PHIAC engages with the industry primarily through a rolling program of fund reviews and desk top reviews, a quarterly review of key industry statistics, regular face-to-face meetings, workshops and electronic communications. This ensures PHIAC has an up-to-date and sound understanding of each insurer s operations, and a strong evidence base for any regulatory activity. The industry benefits from these exchanges in being kept updated in relation to key changes in the sector, and by having access to PHIAC s independent risk analysis methodologies to assist in identifying and resolving potential weaknesses in an their operations. PHIAC exercises a decision-making role in a range of industry transactions, including applications for registration, conversions to for-profit, mergers and acquisitions. In applying to PHIAC for appraisal and / or approval of these and other proposed transactions, the applicant must be able to demonstrate a sound business case, an ability to comply with all legislative requirements and that, during the transaction, policy holder interests will be protected. Divisions 140 and 143 of the PHI Act describe PHIAC s responsibility to develop financial standards for the industry, the Solvency and Capital Adequacy Standards (Capital Standards). The Capital Standards require insurers to retain sufficient capital to ensure their health benefits fund(s) remain solvent and holding sufficient capital to meet their liabilities. Monitoring compliance of the Capital Standards is a significant part of PHIAC s day-to-day oversight, as ongoing compliance minimises the potential for insurer collapse. PHIAC is also empowered under Division 163 of the PHI Act to set binding rules in a broad range of areas to ensure that an insurers conduct their affairs with integrity, prudence and professional skill. Since 2007, PHIAC has exercised its powers in this area by making four Prudential Standards dealing with the topics of Appointed Actuaries (2007); Governance (2009); Disclosure (2011) and Outsourcing (2012). PHIAC sees the design and establishment of targeted industry standards as a key control in the proactive oversight of the industry s affairs. The PHI Act also explicitly sanctions PHIAC acting on a preventative basis in a range of situations. This acknowledges the principle that it is always better that an issue be addressed early and proactively before it has developed the capacity to impact on policy holders and damage not only the reputation of the relevant insurers, but also, potentially, the wider industry Regulatory context PHIAC

9 Whilst PHIAC s preference is to resolve issues collaboratively, where PHIAC has concerns about the long term financial position of an insurer, or has reason to believe that the affairs of an insurer are being, or are about to be carried on in a way that is not in the interests of policy holders, it can pursue a range of enforcement actions, including the issuing of notices and / or directions; the commencement of investigations; request for undertakings; the appointment of external managers; or Federal Court intervention Regulatory context PHIAC

10 4. Approaches to risk management the current picture During the last 10 years, the cornerstone of PHIAC s regulatory oversight of the industry has been a rolling program of fund reviews, designed to analyse the operations of each insurer, with a view to identifying potential weaknesses in an insurer s operations, before these weaknesses impact heavily on the insurer s operations and policy holders. When combined with the quarterly and annual collection of statistics, the fund review program enables PHIAC to: identify and analyse risks specific to each insurer in a systematic manner; assess an insurer s overall risk of failure; and monitor and prioritise the management of risk across the industry. The fund review program examines insurer risk in nine key areas: board composition; risk governance; management; strategic planning; internal controls; business operations; investment; pricing; and capital management. In 2009, a review of sixteen insurers identified that half were operating with informal risk management processes; that two thirds had limited or inadequate Board or Audit Committee review; and that staff awareness of the risk management process was less than optimal. In January 2010, PHIAC introduced a Governance Standard to ensure that consistent and good practice governance arrangements were in place across all insurers. Relevantly, Rule 7(1) of the Governance Standard states: Approaches to risk management the current picture PHIAC

11 [Insurers must have] written policies to manage the insurer s risks [and] procedures in place to monitor and evaluate compliance with the policy and ensure that the policy is regularly reviewed. 2 When it commenced in January 2010, this requirement established a base level of risk management in the industry, designed to enhance existing risk governance practices. It was left to individual insurers to develop policies appropriate to their operations and to develop procedures which would ensure their Boards and senior management teams could effectively monitor the risks of the insurer on an ongoing basis. PHIAC s fund review program has identified that since the introduction of the Governance Standard, the industry has adopted a broad range of approaches to meet this requirement, with significant variability in effectiveness of these approaches and a focus on process rather than outcome. More specifically, during , a review of insurers risk management arrangements was conducted as part of the fund review program. Whilst many of the insurers reviewed demonstrated effective risk management practices, a significant number of those reviewed exhibited some or all of the following issues: Enterprise-wide risk management is generally not in place and where it is, adjustments are needed to maximise its effectiveness. The engagement of Boards in strategic risk management is sometimes limited in a practical sense. Risk appetite statements may be in place but where they do exist, changes are required to ensure they are operationalised effectively. The quality of risk management information and data going to Boards and Committees is often poor due to deficiencies in enterprise-wide risk management arrangements. The use of an external, neutral assessor to review risk management is often not employed. Risk management skills are variable and, not infrequently, quite rudimentary. Mechanisms for engaging staff in risk management are not widely evident. Links between staff responsibilities and risk controls are not clearly apparent. The application of risk management as both a governance process and business process is sometimes limited. 2 Rules 7(1)(a) and 7(1)(b) of Schedule 1 to the Private Health Insurance (Insurer Obligations) Rules 2009 (the Governance Standard) Approaches to risk management the current picture PHIAC

12 PHIAC considers it essential that insurers should employ a structured and systematic approach to the identification and management of risk, given the complexity of the private health insurance business environment and the rate of change within the industry. The benefits of changed and improved risk management practices include: increased likelihood of achieving business objectives; improved communications both internally and externally; improved governance and board oversight; more informed decision making; better use of resources; improved organisational resilience; improved fraud control; and improved compliance with legislative and regulatory requirements. Whilst PHIAC does not advocate a one size fits all solution to the application of risk management in the industry, it is considering options which will achieve sound prudential outcomes through consistent and effective risk management practices across the industry Approaches to risk management the current picture PHIAC

13 5. Reference points for the current review The consequences of poor risk management are regularly highlighted by government and business failings reported through the media. Further, the effects of the Global Financial Crisis illustrate the new paradigm of networks, connectivity and systematic risk management requirements. Risk management provides a recognised and demonstrable approach to improving the effectiveness of organisational governance. Through its application, business relationships are analysed and better understood, and decision making is better informed. In developing options to assist insurers to benchmark their risk management, and to evaluate whether risks are being adequately addressed, PHIAC has taken into account the following reference points: PHIAC s supervisory experience: PHIAC s fund review program has highlighted the variability of insurers risk management practices. Introduction of the PHI Act: Enacted in 2007, the legislation contains provisions which specifically empower PHIAC to make prudential standards addressing the conduct by private health insurers of any of their affairs with integrity, prudence and professional skill. 3 The Governance Standard: As set out in Schedule 1 of the Private Health Insurance (Insurer Obligations) Rules 2009, the Governance Standard includes the requirement that insurers have written policies to manage the insurer s risks, and procedures in place to monitor and evaluate compliance with the policy. APRA Risk Management Standards: Risk management is embedded in a number of prudential standards for approved deposit-taking institutions, and APRA stipulates specific risk management standards for general insurers and the superannuation industry. 3 Division 163 of the Private Health Insurance Act 2007: Prudential Standards Reference points for the current review PHIAC

14 International Frameworks for Risk Management: the International Organisation for Standardisation (ISO) has established the ISO standard as the international standard for risk management. ISO includes principles, framework and processes which when implemented enable organisations to maximise the benefits of risk management. This ISO standard is not mandated for Australian organisations. The International Association of Insurance Supervisors (IAIS): The IAIS has issued a set of Insurance Core Principles (ICPs) which establishes an internationally recognised framework for the supervision of the insurance sector. Within the ICPs are specific principles and standards relating to risk management and what regulators must require of insurers with respect to risk management - including risk policy, compliance, internal audit and enterprise level risk management. The Australian Securities Exchange (ASX): has issued Corporate Governance Principles which include a seven (7) principles on recognising and managing risk. Although these principles and their subordinate recommendations are not prescriptive, listed companies must disclose in their annual report any recommendations that have not been followed, and give reasons for not following them. Increasing systemic risk: The complexity of the modern business environment presents an increasing exposure to systemic risk. This risk can be better managed with an appropriate risk management framework which identifies, analyses and addresses these risks Reference points for the current review PHIAC

15 6. Options to improve risk management To move forward, PHIAC is proposing three (3) options for consideration by industry stakeholders to improve the effectiveness of risk management across the industry. PHIAC considers that the case for improvement has been established and that changes are required to reduce the risk of ineffective risk management within all insurers. Option 1: Retain status quo - no additional requirements regarding risk management arrangements Description: No changes or additional risk management requirements beyond those already contained in the PHI Act and the Governance Standard, which is reposed in the Private Health Insurance (Insurer Obligations) Rules Pros: No additional costs to insurers as there would be no change to the existing legislated provisions. Insurers who choose to improve the application of risk management within their organisations will do so of their own volition, potentially improving the ownership and sustainability of changes introduced. Insurers can choose a risk management system that best meets their business circumstances and commitment to risk management. Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk management. Recommendations for improvement in insurer risk management remain limited to the requirements contained in the Governance Standard, which focus on the establishment of policy. Subsequently, any substantial improvements deemed necessary cannot be required and enforced. Compliance: No changes to current compliance obligations imposed by existing legislated provisions. Option 2: Quasi-regulatory risk management guidance material Description: Development and publication of guidance material to assist insurers in their understanding and application of the elements of effective risk management. This guidance material Options to improve risk management PHIAC

16 would draw on PHIAC s extensive knowledge of the operations of the industry and individual insurers, and reflect domestic and international best practice. Pros: Potentially no or limited additional costs to insurers as there would be no change to the existing legislated provisions. Insurers who choose to apply the elements of effective risk management within their organisations will do so of their own volition, potentially improving the ownership and sustainability of changes introduced. Guidance material would support the consistency of understanding and application of risk management across those insurers who choose to follow it. Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk management. Recommendations for improvement in insurer risk management remain limited to the requirements contained in the Governance Standard, which focus on the establishment of policy. Subsequently, any substantial improvements deemed necessary cannot be required and enforced. Compliance: No changes to current compliance obligations imposed by existing legislated provisions. PHIAC would include as part of its fund review program, the review of an insurer s risk management against such guidance material. Compliance with any recommendations would be discretionary. Option 3: Development of a Risk Management Prudential Standard to require all insurers to adopt effective risk management practices. Description: Development of a prudential standard which prescribes risk management principles which insurers must comply with and apply to their operations. This standard would draw on PHIAC s extensive knowledge of the operations of the industry and individual insurers, and reflect domestic and international best practice. Pros: Consistency in the understanding and application of risk management elements across all insurers will be achieved. Being principles-based, the standard would allow insurers to tailor the application of the elements of effective risk management to their operations in a way that reflects their ongoing needs and business arrangements Options to improve risk management PHIAC

17 The proposed principles-based regulation will also shift the current compliance-based emphasis of documenting risk management policies, to a holistic approach to risk management which takes into account the entire operations of an insurer. Cons: There will be additional costs to those insurers who do not already have the elements of effective risk management in place. These costs may include the contracting of additional staff, training and / or the acquisition of software to improve the monitoring and reporting on risk. Compliance: Insurers would be required to comply with standard and demonstrate their compliance through: 1. An annual statement of compliance to PHIAC signed by a member of the Board on behalf of the Board indicating that the insurer has complied with the requirements of the Risk Management Standard; and 2. Ongoing compliance with the Standard, as monitored through a rolling program of reviews conducted by PHIAC on an insurer s risk management arrangements. Any compliance concerns identified, while most likely be resolved through discussion and consultation between PHIAC and an insurer, are nevertheless able to be enforced via the Council s powers. Preferred option Option 1, maintaining the status quo, is not PHIAC s preferred option as it does not address the identified issues of variability in the application of risk management in the PHI industry. Both Options 2 and 3 are more likely to contribute to achieving PHIAC s objective of improved risk management practices. Although these two approaches will have different implementation requirements, the high level elements within both would be similar and are discussed below in section Options to improve risk management PHIAC

18 7. Possible elements of risk management guidance or a prudential standard Drawing on the sources noted in section 5, PHIAC considers that the principles of effective risk management which PHIAC may consider including in quasi-regulatory guidance material, or a prudential standard are: 1. an enterprise wide risk management framework; 2. obligations for the Board and Senior Executive to set the tone at the top and encourage leadership to imbed and engender a risk management culture; 3. effective systems to capture, store, analyse and utilise risk information; 4. internal communication systems which ensure that all staff understand and are committed to implementing risk management strategies; and 5. access to appropriate risk management skills and knowledge. Most of these principles feature as orthodox elements in a range of risk management publications, standards and frameworks, both within Australia and internationally. The one exception is the element requiring the establishment of an enterprise wide risk management framework. PHIAC is of the view that such a framework will form the basis for the successful integration of risk management into the governance and management arrangements of an insurer. An enterprise wide risk management framework identifies and brings together the organisational components that contribute to the overall purpose of an insurer, and if created and applied appropriately, improves the understanding of the relationships between risk and control at all levels of the business Possible elements of risk management guidance or a prudential standard PHIAC

19 The following table expands on these principles of effective risk management. 1. Establish an enterprise wide risk management framework Requirement Benefits Demonstrated by 1.1. An Enterprise-wide Risk Management (ERM) framework be established by the insurer and approved by the insurer s Board The ERM framework forms part of an insurer s governance arrangements. Senior executives and managers understand the framework Risk management is integrated with business planning processes and used to inform the establishment of strategies and actions in business plans Contingency plans are prepared to ensure that critical business operations are safeguarded as far as possible Insurers integrate risk management processes into the development of project plans and activities. Improves visibility of risk in the organisation and links the objectives of the insurer to its risk management processes. Risk management becomes an integral part of governance and the business management model of the insurer. Improves the focus of strategies and actions in business plans on achieving objectives. Increases stakeholder involvement. Enhanced business resilience. Improved understanding of the critical business processes within an insurer. More effective project plans and activities increasing the likelihood of successful projects. The existence of an ERM framework. Evidenced by board minutes indicating consideration of the framework by the board and its approval. The integration of the ERM framework with performance management, reporting, subordinate committees, audit and organisational structure. Risk assessment reports against objectives in business plans. Evidence of control activities in business plans. Business continuity plans. Business impact analysis documents. Risk assessment reports against project deliverables. Evidence of control activities being translated into project plans Possible elements of risk management guidance or a prudential standard PHIAC

20 2. Board and senior executive leadership Requirement Benefits Demonstrated by 2.1 The Board is responsible for managing strategic risk. 2.2 The Board is to get regular, credible information from management about identified risks, the operation of controls and the compliance with internal policies and laws. 2.3 Risk management information is taken into account when important decisions are being taken. 2.4 Every five years the ERM framework should be subject to external review. Leverage off the skills and experience of board members. Set an appropriate tone at the top regarding the application of risk management. The Board can focus on strategic issues, risks and controls in the knowledge that operations are under control and that information about operations is timely, accurate and reliable. Decision-makers have more information to inform decisions. Provides assurance to the board and other stakeholders that the insurer s ERM framework is operating effectively and maximises the application of risk management within the organisation. Strategic risks identified and approved by the board including an agreed understanding of the controls/response to these risks. The risk appetite is approved by the board. Risk reports provided on a regular basis to the board that reflect the design and application of the ERM framework. Key or strategic decisions taken by the board or senior management are documented and include information about the risks to success, the effectiveness and costs of control and the likely consequences (positive and negative) of the decision. A report from the review of the ERM framework to the board Possible elements of risk management guidance or a prudential standard PHIAC

21 3. Capturing, storing, analysing and utilising risk management information Requirement Benefits Demonstrated by 3.1 The ERM framework is to ensure that information about risk moves effectively from operational to strategic areas of the business and vice versa. 3.2 The risk register is maintained and updated regularly. 3.3 The ERM framework establishes categories of risk that reflects an insurer s key business and operational objectives. 3.4 The Board and senior executives and managers receive effective and timely information on the status of risks and controls from all areas of the organisation. 3.5 The internal audit program should be risk based drawing on information from the risk register. The operational areas of the insurer have a mechanism to escalate concerns about risk levels or the effectiveness of control activities. Risk information can be properly captured, analysed and reported. Enables the understanding of how to manage risk within the business environment of the insurer. Links the objectives of the insurer to its risk management processes. Effective assurance of business control is provided to accountable officers. Early warning of issues enabling preventative action to be initiated. The internal audit program targets areas of greatest risk and consequence as well as key controls. An ERM framework that identifies relationships between risks and objectives across the organisation. Risk reports contain information sourced from the operational area. A risk management software program and evidence that relative risk levels are regularly reviewed by the Board, analysed and properly understood by staff. Clear alignment between the ERM framework and the organisational structure of the insurer. Use of the categories of risk in the structure of the risk register. The frequency and quality of risk reports provided to the board and senior management. The alignment of the internal audit program to the ERM framework and information from the risk register Possible elements of risk management guidance or a prudential standard PHIAC

22 4. Obtaining and maintaining staff commitment to risk management Requirement Benefits Demonstrated by 4.1 Board and senior management are committed to effective risk management and set the tone for the rest of the organisation. 4.2 At all levels, staff see a risk management policy that: commits the insurer to applying risk management; sets risk management objectives; establishes risk management governance arrangements; defines the risk management processes to be applied including the engagement of stakeholders; outlines the insurer s approach to risk tolerance, risk escalation and risk reporting; and mandates risk management roles and responsibilities across the insurer. 4.3 Risk management processes are adaptable to the context in which they are being applied. 4.4 All significant risks of an insurer have a responsible officer or risk owner. 4.5 Staff understand the connection between their conduct and risk in the management of the organisation. Embeds risk management into organisational culture. Demonstrates the insurer s commitment to risk management and works to obtain staff commitment to its application. Enables staff flexibility in the use of risk management processes to meet their needs. Engenders commitment. Ensures risks are managed and reported. Integrates staff behaviour into the overall control framework of the insurer. Board endorsed risk management policy and the use of risk management information in reporting and decision making. The existence of a risk management policy with the requisite components. Risk assessments are appropriately adapted to their purpose and are regularly reviewed and updated. Documents listing risk owners of all high level risks. Position statements and/or performance agreements with clear risk management responsibilities. Risk management responsibility statements in performance agreements. Involvement of staff in risk assessment workshops Possible elements of risk management guidance or a prudential standard PHIAC

23 5. Risk management skills and knowledge Requirement Benefits Demonstrated by 5.1 Board, senior executives and employees are provided with risk management training and ongoing support. 5.2 Risks are described in a way that supports the application of risk management processes. 5.3 Insurers have access to a specialist risk management capability. More effective application of risk management processes including analysis of risk and design of controls. A common understanding of risks. Enables a detailed analysis of risk resulting in more effective design of controls. Supports consistent and ongoing application of risk management. Risk management training programs. Facilitated risk management workshops. Specialist risk management function. Quality of risk management reports. Listing of high level risks. Risk reports detailing analysis and control development processes. The existence of a risk management function or role within the organisational structure Possible elements of risk management guidance or a prudential standard PHIAC

24 8. Assessment of options PHIAC seeks feedback on the options presented in this discussion paper from industry, consumers and other interested stakeholders. To assist PHIAC s analysis of the options, submissions should evaluate the relative merits of each of the three (3) options, and, where practicable, the costs associated with the potential implementation and ongoing compliance of each proposal. Following receipt of submissions, PHIAC will analyse the options to improve the effectiveness of risk management in the private health insurance industry. This analysis will consider all views of the options presented in this discussion paper, in terms of: potential to achieve the desired outcome; cost of implementation to industry and consumers; and ongoing compliance requirements. The assessment of options will be largely influenced by the feedback, comments and submissions received Assessment of options PHIAC

25 9. Invitation to Comment This discussion paper outlines options for improving the effectiveness of risk management arrangements in private health insurers. PHIAC invites submissions on any element of the paper but is specifically interested in stakeholder views on the abovementioned three (3) options for improvement, and the extent to which each option will potentially: achieve the required improvements in risk management; impose unnecessary or unjustified costs on insurers; and / or impose excessive compliance obligations on insurers. All information (including name and address details) relating to a submission may be made publicly available via PHIAC s website, and may be referenced in future PHIAC papers and reports. If you prefer that some, or all, of your submission remains in confidence, you should state this in your submission and the confidential material should be clearly identified and included in a separate attachment. You should carefully consider the information contained in your submission as the confidentiality of your response might be affected by legal requirements such as the Freedom of Information Act PHIAC invites submissions and requires that they be received on or before COB Friday, 15 March Submissions can be ed to phiac@phiac.gov.au or sent to: General Manager, Industry Operations Private Health Insurance Administration Council PO Box 4549 KINGSTON Invitation to Comment PHIAC

26 10. Next steps The next steps in the review of risk management arrangements in insurers include: Date: 2013 Action 21 January Discussion Paper issued for a 8 week consultation period 15 March Discussion Paper submissions due March/April PHIAC consideration of feedback, comments and submissions May Second Discussion Paper issued for another 8 week consultation period June/July Second Discussion Paper submissions due July/August PHIAC consideration of feedback, comments and submissions 2 nd half 2013 Adoption of preferred option Next steps PHIAC

27 11. Abbreviations used in this paper ACCC Australian Competition and Consumer Commission APRA Australian Prudential Regulation Authority ASIC Australian Securities and Investments Commission ASX Australian Securities Exchange Board The board of directors of a private health insurer COB Close of business (usually 1700hrs) ERM Enterprise Risk Management Framework FOI Act Freedom of Information Act 1982 Fund The health benefits fund or funds of an insurer registered under the Private Health Insurance Act 2007 IAIS International Association of Insurance Supervisors ICP Insurance Core Principles issued by the IAIS Insurer A private health insurer registered under the Private Health Insurance Act 2007 ISO International Organisation for Standardisation PHIAC The Private Health Insurance Administration Council PHI Act The Private Health Insurance Act Abbreviations used in this paper PHIAC

28 12. Relevant legislative extracts Extracts from the Private Health Insurance Act 2007 Section Private Health Insurance (Insurer Obligations) Rules to establish prudential standards (1) The Private Health Insurance (Insurer Obligations) Rules may establish prudential standards (2) Prudential matters are matters relating to: (a) the conduct by private health insurers of any of their affairs in such a way as: (i) (ii) to keep themselves in a sound financial position; or not to cause or promote instability in the Australian private health insurance system; or (b) the conduct by private health insurers of any of their affairs with integrity, prudence and professional skill; but does not include matters relating to the solvency or capital adequacy of health benefits funds. (3) A *prudential standard may impose different requirements to be complied with: (a) (b) (c) by different classes of private health insurers; or in different situations; or in respect of different activities. (4) A *prudential standard may provide for the Council to exercise powers and discretions under the standard, including but not limited to discretions to approve, impose, adjust or exclude specific prudential requirements in relation to a particular private health insurer or a particular class of private health insurers. (5) A *prudential standard takes effect on the day on which it is established in the Private Health Insurance (Insurer Obligations) Rules, or on such later day as is specified in the Private Health Insurance (Insurer Obligations) Rules Relevant legislative extracts PHIAC

29 *Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations) Rules. Section Functions of the Council General (1) The functions of the Council are: (a) (b) (c) (d) (e) (f) (g) (h) to administer the Risk Equalisation Trust Fund; and to administer the registration of private health insurers under Part 4-3; and the information collection function under subsection (2); and the compliance functions under subsection (3); and the enforcement functions under subsection (4); and the public information functions under subsection (5); and the agency cooperation functions under subsection (6); and to advise the Minister about the financial operations and affairs of private health insurers; and (i) (j) functions incidental to any other functions of the Council; and any other functions conferred on the Council by this, or any other, Act. Information collection function (2) The information collection function of the Council is to obtain from each private health insurer regular reports about the insurer s operations, including reports supported by actuarial certification. Compliance functions (3) The compliance functions of the Council are: (a) to establish a *solvency standard and a *capital adequacy standard to be complied with by private health insurers, and to give solvency directions and capital adequacy directions to private health insurers; and Relevant legislative extracts PHIAC

30 *Note: The solvency standard and the capital adequacy standard are established by the Private Health Insurance (Health Benefits Administration) Rules. (b) to exercise powers and discretions under the *prudential standards, and to give directions to private health insurers relating to compliance with the prudential standards; and *Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations) Rules. (c) to consider, in accordance with Division 160, whether persons should, or should not, be appointed actuaries; and (d) to consider, in accordance with Division 166, whether persons should, or should not, be disqualified persons; and (e) to examine, from time to time, the financial affairs of private health insurers, by the inspection and analysis of the records, books and accounts of the insurers and any other relevant information; and (f) to review, by carrying out independent actuarial assessment, the value of the assets and liabilities of each health benefits fund; and (g) if it is necessary, for the purpose of making a proper examination of the financial affairs of a private health insurer, for the Council to incur unusually high costs to impose an appropriate fee on the private health insurer concerned. Enforcement functions (4) The enforcement functions of the Council are: (a) to take action under Part 5-2 to monitor compliance with, and to encourage or compel compliance with, Council-supervised obligations; and (b) to appoint, under section 214-1, inspectors for the purpose of investigating the affairs of private health insurers under Division 214, and to exercise other related powers and functions of the Council under that Division; and (c) to appoint, under Subdivision 217-B, persons as external managers of health benefits funds, and to exercise other related powers and functions of the Council under Division 217 and Relevant legislative extracts PHIAC

31 Public information functions (5) The public information functions of the Council are: (a) to make statistics, and other financial information, relating to a private health insurer or private health insurers, publicly available in accordance with the Private Health Insurance (Council) Rules; and (b) to collect and disseminate information about private health insurance, for the purpose of enabling people to make informed choices about private health insurance. Agency cooperation functions (6) The agency cooperation functions of the Council are: (a) to cooperate with other regulatory agencies on matters affecting private health insurers and the private health insurance industry generally; and (b) to provide the Private Health Insurance Ombudsman, from time to time, with information in the Council s possession that the Council considers likely to be of use in production of the State of the Health Funds Reports referred to in paragraph 238-5(c) Relevant legislative extracts PHIAC