Frequently Asked Questions in Identifying and Assessing Prospective Risks



Similar documents
How To Write An Insurance Profile Summary

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Audit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU

IAIS Insurance Core Principle 16

Exams, Audit, SOX/MAR, ERM, ORSA,...what s next???

STANDING ADVISORY GROUP MEETING

Project Risk Management

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

New Audit Standards: How Will They Impact the Audit

How To Audit A Company

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

Auditing Accounting Estimates

Assessing Credit Risk

Audit of the Test of Design of Entity-Level Controls

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

Management s Discussion and Analysis

Internal Control Evaluations

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

John Keel, CPA State Auditor. An Audit Report on Inspections of Compounding Pharmacies at the Board of Pharmacy. August 2015 Report No.

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

February Audit committee performance evaluation

PeopleSoft Upgrade Post-Implementation Audit

FUNBIO PROJECT RISK MANAGEMENT GUIDELINES

Partnering for Project Success: Project Manager and Business Analyst Collaboration

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Imperial County. Office of the Auditor-Controller. Internal Audit Standard Practice Manual

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

How To Audit A Company

Audit Risk and Materiality in Conducting an Audit

[300] Accounting and internal control systems and audit risk assessments

THE COMMONWEALTH OF MASSACHUSETTS. Division of Insurance. Arbella Indemnity Insurance Company, Inc.

INTERAGENCY GUIDANCE ON THE ADVANCED MEASUREMENT APPROACHES FOR OPERATIONAL RISK. Date: June 3, 2011

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Master Document Audit Program

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

Risk Management Strategy and Guidelines

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Special Purpose Reports on the Effectiveness of Control Procedures

January (1) CHAPTER 5. Table of Contents

Supervisor of Banks: Proper Conduct of Banking Business [9] (4/13) Sound Credit Risk Assessment and Valuation for Loans Page 314-1

4 Testing General and Automated Controls

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Assurance Engagements

INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS CONTENTS

HKSAE 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information

Aberdeen City Council IT Asset Management

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005

Insurance Inspection Manual

The Auditor s Responsibilities Relating to Fraud in an Audit of Financial Statements

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Develop Project Charter. Develop Project Management Plan

PRINCIPLES FOR PERIODIC DISCLOSURE BY LISTED ENTITIES

Solvency II Own risk and solvency assessment (ORSA)

Office of Inspector General

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Operational Risk Management Program Version 1.0 October 2013

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

Report on Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

Audit of Policy on Internal Controls: Selected Business Processes

Following up recommendations/management actions

INTERNATIONAL STANDARD ON AUDITING 620 USING THE WORK OF AN AUDITOR S EXPERT CONTENTS

Basel Committee on Banking Supervision. Review of the Principles for the Sound Management of Operational Risk

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

Risk/Issue Management Plan

ISMS Implementation Guide

THE AUDITOR S RESPONSES TO ASSESSED RISKS

Audit of the Policy on Internal Control Implementation

Enterprise risk management: A pragmatic, four-phase implementation plan

Report on Tasks Performed at the Request of the County Attorney s Office Regarding Broward County s Disadvantaged Business Enterprise (DBE) Program

LOCAL GOVERNMENTAL ENTITY EXAMPLE FINANCIAL CONDITION ASSESSMENT INDICATORS AND RELATED PROCEDURES

Solvency II Data audit report guidance. March 2012

EIOPACP 13/011. Guidelines on PreApplication of Internal Models

An Overview of Basel II s Pillar 2

The PNC Financial Services Group, Inc. Business Continuity Program

Consideration of Fraud in a Financial Statement Audit

Reserve Bank of Fiji Insurance Supervision Policy Statement No. 8 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORKS OF LICENSED INSURERS IN FIJI

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

INTEGRATED SILICON SOLUTION, INC. CORPORATE GOVERNANCE PRINCIPLES. Effective January 9, 2015

U.S. Customs and Border Protection Office of International Trade Regulatory audit. Focused Assessment Pre-Assessment Survey Audit Program

Review of Financial Statements

Transcription:

To: Financial Examiners From: NAIC Examination Unit Staff Date: May 4, 2015 Re: Frequently Asked Questions in Identifying and Assessing Prospective Risks The following FAQ provides information on common questions posed by examiners when identifying and assessing prospective risks. The template of the FAQ will follow the Exhibit V Matrix columns. The first two examples within this exhibit are provided at the end of this memo within Appendix A. 1. Prospective Risk Identified This column of Exhibit V is used for documenting overarching prospective risks that the examiner identified as a result of the knowledge and understanding of the company gained during planning. Q1. Why are prospective risks important? The Financial Condition Examiners Handbook (Handbook) Introduction (D) states that the intent of the risk-focused surveillance process in a risk-focused examination is to determine areas of higher risk to enable more efficient use of examiner resources. The primary purpose of a risk-focused examination is to review and evaluate an insurer s business processes and controls (including the quality and reliability of corporate governance) to assist in assessing and monitoring its current financial condition and prospective solvency. As part of this process, the examiner identifies and evaluates risks that could cause an insurer s surplus to be materially misstated, both currently and prospectively. In short, prospective risks should be among the areas of focus for examinations as this is a key part of the regulatory charge of States. While financial risks are reviewed in detail by others such as auditors, prospective risks typically are not. Consider the example provided by Prospective Risk 1 in Appendix A (excerpt from Exhibit V). The issue of compensation practices encouraging risky behavior may have been identified by auditors, but this risk may not have been subject to audit procedures due to the lack of impact on the financial statements. While this may be appropriate for auditors, these sorts of risks require a response from the examination as the compensation practices could pose a long term threat to the insurer s solvency. Examiners

are specifically charged with solvency monitoring while auditors are charged with ensuring the accuracy of information that is reported in the audited financial statements. Q2. How do I identify prospective risks for my insurer? The process to identify prospective risks is the same process used to identify risks placed on a Key Activity Matrix. Exhibit V states that Based on the knowledge and understanding of the company obtained during the planning stages of the exam, document any overarching prospective risks identified. Therefore, prospective risks can be identified by any of the means by which traditional financial reporting risks are identified (i.e. documents reviewed as part of understanding the company, discussions with management, review of 10k filing, discussions with analysts, etc.). The following diagram should serve to illustrate this point. Exhibit V, Part Two contains a listing of common areas of concerns that examiners may use as a brainstorming tool in the risk identification process.

Q3. How do I decide whether to place my risk on Exhibit V or a Key Activity Matrix? Risks placed on Exhibit V tend to impact multiple key activities or may simply not align with a key activity; they may also have entity wide implications (i.e. they are overarching risks). These overarching risks benefit from the format of Exhibit V. Because of the nature of these risks, it can be difficult to walk through the concepts of likelihood of occurrence and magnitude of impact. Using Exhibit V to address these risks allows examiners to focus on risk mitigation and additional review procedures and/or ongoing monitoring. The decision to place a risk on the prospective risk matrix or a key activity matrix is a relevant decision, but not a decision that requires extensive consideration; responses to the risks should be consistent with the risk level regardless of the exhibit on which the risk is placed. 2. Branded Risk Classification This column of Exhibit V is used for identifying the branded risk category associated with each risk. Q4. Why is it important to identify the branded risk classification for each risk listed on Exhibit V? Branded risk classifications (BRC) are the common language between the examination and analysis function. Knowing the BRC for each risk will facilitate communication of exam conclusions to analysts and will likewise enhance the examiner s ability to use the results of analysts work to identify risks on an examination. 3. Risk Mitigation Strategies This column of Exhibit V is used for identifying risk mitigation strategies the insurer has in place (if any) to address the prospective risk. Q5. How do I identify risk mitigation strategies for prospective risks? The insurer determines the level of risk that they are willing to accept on a variety of risks and often will provide descriptions of risk mitigation strategies in discussions with examiners. Risk mitigation strategies can also be identified using resources described in Handbook guidance. Section 2, Phase 3 (A) of the Handbook states that the insurer s internal

controls/risk mitigation strategies can be identified using a number of sources including company control documentation and documentation from external and/or internal auditors. This documentation could include narrative descriptions, flowcharts, Sarbanes- Oxley compliance documentation and/or other source information...examiners may also utilize walkthroughs of key processes to further their understanding of the existing controls in place. In short, discussions with management and review of process documentation (including documentation included in the insurer s ORSA report, as applicable) are key steps in identifying risk mitigation strategies. Even after completion of this, however, it may be possible that no relevant risk mitigation strategies are in place for the risk identified. In these situations, and taking into consideration the results of ongoing examination work/prospective risk assessment, the examiner should consider communicating their concern back to management through a management letter or other means to ensure that a response to the risk is developed going forward. Q6. What if the risk mitigation strategy provided by management is not designed properly to mitigate the risk? Section 2, Phase 3(A) states that when identifying controls, the examiner should consider that although a control or multiple controls exist in a particular area, they may not be designed effectively to mitigate the specific identified risk being evaluated by the examiner. Therefore, the examiner should understand and assess the design of each internal control identified...during the review of the design of controls, the examiner should take into consideration the type of control and how well it appears to mitigate the inherent risk. Risk mitigation strategies provided by the company may only mitigate a portion of the risk or in certain situations, may not mitigate the risk at all. In these situations, the examiner should consider engaging management in a discussion to determine if there are any other risk mitigation strategies in place to respond to the risk. Questions such as what prevents this risk from happening? may help incite an applicable response. If management is not able to provide the examiner with a risk mitigation strategy that effectively addresses the risk, the examiner should take this into consideration when determining the prospective risk assessment for the risk statement. Section 2, Phase 3 (B) gives guidance on evaluating risk mitigation strategies and controls. The following are questions that the examiner may consider when evaluating risk mitigation strategies: (note that additional questions are provided in Handbook Section 2, Phase 3(B)):

Whether risk policies, guidelines and limits at the insurer are appropriate and consistent with its significant business activities, management experience level and overall strength. o Consider the example provided by Prospective Risk 1 within Exhibit V. The risk is that the company s executive compensation practices encourage and/or reward excessive risk-taking and may induce fraudulent behavior. One of the strategies in place is to limit variable compensation to a percentage of salary and tie the salary to performance over a 5 year period. In theory the strategy would be part of an effective mitigation of the risk. However, if the percentage limit is excessively high relative to industry standards or if the performance metrics can only be achieved through excessive risk taking, the compensation policy would in fact serve to increase the risk instead of mitigating the risk. This assessment would require that the examiner understand the business activities to determine how compensation policy might impact behavior and in turn results of operations. Whether qualitative and quantitative assumptions implicit in the risk management process are appropriate. o Consider the example provided by Prospective Risk 2 within Exhibit V. The risk is that The Company may experience rating agency downgrades causing the company to be unable to sell its products. In response to this, the company monitors and manages its financial performance using metrics identified by the rating agencies and utilizes models to determine its economic capital needs. One implicit assumption within this process is that the company has selected the right mix of metrics to monitor performance (i.e. the rating agencies may track 15 distinct metrics while the company may use 5). The company should not cherry pick metrics to monitor its performance but instead should be using metrics that are representative of the metrics used by the rating agency. Quantitative assumptions may be identified through the review of the model used and should be considered by the examiner when evaluating the quality of this risk mitigation strategy. If the company is modeling performance assuming 15% growth when it has only seen 5% growth in recent years, the examiner would likely need to challenge the quality of this assumption.

4. Corroborating Evidence and Documentation This column of Exhibit V is used for documenting corroborating evidence and other documentation that supports the risk mitigation strategy. Q7. How do I test risk mitigation strategies? Once the effective design of a risk mitigation strategy is established, examiners must still ensure that risk mitigation strategies are operating effectively. The focus of examiners in achieving this objective should be to verify the information provided by companies, document corroborating evidence reviewed, and conclude on the effectiveness of the risk mitigation strategies. Consider the following common risk mitigation strategies. Risk is addressed by a policy. o Examiners should obtain and review a copy of the policy in place. o Does the policy include the necessary detail to fully address the risk? o Is the policy reasonable given the size of the company and the extent of risk exposure? o How is compliance with the policy ensured? Management or a third party prepares a detailed analysis or performs modeling specific to a risk. o Examiners should obtain and review a copy of the analysis or modeling performed. o Are the people performing the analysis qualified to do so? o Who is involved in the review of the results of the analysis? o What actions or changes typically result due to this analysis? Board reviews a process, policy, results of operations etc. o Is the board qualified to review the process? o What level of detail is provided to the board and is that sufficient to accomplish the objective? o How often does the board meet to review the process? Obtain board minutes and consider using a sample to verify this activity. o Consider the extent of involvement in reviewing or challenging the process? Consider whether any questions are posed by the board or if any meaningful changes have occurred as a result of this process to evidence level of involvement.

The examiner should understand the operation of the risk mitigation strategy and should perform some amount of corroboration for information provided. Inquiry with company executives may represent a start in addressing a risk mitigation strategy, but inquiry alone is typically insufficient in fulfilling the corroborating requirement for risk mitigation strategies identified. Examiners may consider performing interviews of multiple personnel (including those executing the strategy) to verify that the strategy is indeed operating effectively; however, examiners should not limit testing of risk mitigations strategies to interviews alone. Specifically, examiners should strongly consider using reperformance and examination of documents to obtain the necessary corroborating evidence. Examiners should also consider the timing of the risk mitigation strategy and the associated testing. For example, for Prospective Risk 1 discussed above, if changes have been made to the compensation policy recently the examiner should consider reviewing the compensation policy on the date of inquiry instead of the compensation policy effective on the as-of date. Generally speaking, reviewing the company s current version of a strategy or policy is more appropriate to determine the long term adequacy of the strategy in place. The Other Than Financial Reporting sections of the risk repositories (Section 3 of the Handbook) may provide possible testing ideas for various types of risk mitigation strategies. Furthermore, examiners should review Exhibit V examples for additional guidance on how risk mitigation strategies may be tested. Q8. Does my testing of risk mitigation strategies require that I use a sample? Depending on the nature of the risk mitigation strategy (i.e., multiple instances or occurrences over the course of a year), it may be appropriate to use sampling methodology to determine the effectiveness of the strategy throughout the course of the year. For instance in the situation of a quarterly board meeting that is used as the monitoring control for risk, examiners should consider reviewing several instances of board minutes to ensure the appropriate level of supervision is being performed by the board over the course of the year. Other mitigation strategies that focus more on overall strategy may not require a sample and testing should instead focus on obtaining documents to corroborate management s representations. 5. Prospective Risk Assessment This column of Exhibit V is used for documenting the prospective risk level (High, Moderate or Low), including a brief explanation regarding that determination, that remains after considering the nature of the risk and the company s mitigation strategies.

Q9. Is prospective risk assessment the same as residual risk or inherent risk? Prospective risk assessment is a different measurement of risk from the residual risk and inherent risk designations. Residual and inherent risk designations require that examiners determine likelihood of occurrence and potential impact to surplus which are often difficult to ascertain for some prospective risks. Instead, the prospective risk assessment is the risk level that examiners identify after considering the nature of the risk and the company s mitigation strategies. This makes the concept similar to the residual risk assessment because it considers the company s response to the risk but still distinct because it is not an explicit computation of inherent risk controls +/- judgment as would be the case for risks placed on a key activity matrix. 6. Ongoing Examination Procedures and Follow-Up This column of Exhibit V is used for documenting any additional procedures that the examiner deems necessary to further understand or address the risk. This could include the plan for follow-up, such as specific procedures for continual monitoring, communication with the analyst, limited-scope examinations, revisions to the Supervisory Plan or Insurer Profile Summary, etc. Q10. What do I do if I have a risk that could not be sufficiently mitigated by the company s risk mitigation strategies? Similar to Phase 5 of a key activity matrix, Exhibit V s column called Ongoing Examination Procedures and Follow-Up should be used to document any detailed follow up that is performed to further respond to the risk identified. The extent of work performed in response to risks identified should be based on the prospective risk assessment. Risks with a high prospective risk assessment should have extensive examination procedures or follow-up performed while risks with a low or moderate prospective risk assessment may have a more measured response. In the first example within Exhibit V, the risk identified is that compensation strategies may encourage excessive risk taking and induce fraudulent behavior. After reviewing and testing the risk mitigation strategies, the examination team assesses the risk to be moderate and further follow up is considered necessary. The examination team performs their own benchmarking against competitors/industry averages and provides a recommendation to

analysts to monitor expense ratios and executive compensation going forward to ensure this risk is properly monitored. Note that this risk is addressed by both an examination response and detailed instruction for analyst follow-up. In situations when the risk cannot be fully addressed, examiners should consider whether formal communication to management via a management letter or other means is appropriate. For some risks, examiners may not have a means of testing the risk independently. Examiners may consider requesting more information on the risk in lieu of additional testing to ensure that it can be properly monitored on an ongoing basis. See considerations provided in Q10 for information that may be relevant to the examiner. Q11. What sort of follow up should I provide to the analyst? Examiners should provide analysts with information that allows them to leverage work already performed by examiners. For instance: Are there key reports available that the analyst can request? o Specific title, frequency that reports are generated and specific contact information will be helpful information to provide. Are there changes to controls/risk mitigation strategies that the analyst can specifically ask about? Consider the extent of information needed to enable the analyst to ask detailed questions tailored to the insurer s circumstances. o For example, if management was asked to revise an investment policy to incorporate limitations on market concentrations, the examiner should provide the analyst with the context for this recommendation and contact information for the person in charge of the update. With this information, the analyst would be aware of the recommendation and expected follow-up, would know who to contact, would know what to ask for, and what to look for when reviewing the document. Who are the primary contacts to obtain the necessary information? Are there specific financial ratios or other data that can be observed more closely? Has the company made specific projections that the analyst can compare against actual data as it becomes available? What is the anticipated time frame for the company to have the information available?

For significant risks, it is typically insufficient to provide a recommendation that analysts monitor results of company to perform adequate follow up on specific risks without providing additional detail. With respect to communication with analysts, examiners should focus on providing additional value gained from being on site with the company.

Appendix A Prospective Risk Identified Example Prospective Risk 1: The company s executive compensation practices encourage and/or reward excessive risk-taking and may induce fraudulent behavior. Example Prospective Risk 2: The company may experience rating agency Branded Risk OP ST RP Risk Mitigation Strategies The board of directors maintains an independent compensation committee that meets at least annually to update the strategy and approve executive compensation. Variable compensation is limited to a percentage of salary and is based on qualitative and quantitative performance over a rolling 5-year period. The company has processes in place to monitor and manage its financial performance in accordance with metrics considered significant by rating agencies. The company utilizes modeling to Corroborating Evidence and Documentation Reviewed minutes of the 20XX compensation committee meeting (see A.1.1), noting that actions were taken as described by the company. Obtained and reviewed variable compensation plan (see A.1.2), noting cap as a percentage of salary. Reviewed schedule calculating 20XX variable compensation for executives (see A.1.3), noting the calculation is based on five-year results and ties to GL. Reviewed financial reports for evidence of monitoring of rating agency performance measures and management review, noting that the company Prospective Risk Assessment Although the company carries a high expense ratio and the department had identified concerns with compensation in the past, it appears that the company has put additional controls in place to mitigate risks relating to executive compensation. As such, a Moderate prospective risk rating is deemed appropriate. The company has product lines sensitive to a ratings decrease; however, it appears that the company has Ongoing Examination Procedures and Follow-Up Based on the moderate prospective risk rating, total compensation awarded to the top five executives in the company was benchmarked to competitors and industry averages (see A.1.4). Although the company appears to be on the high end of the range, compensation did not appear unreasonable. Analyst will be asked to closely monitor changes in the expense ratio and executive compensation to determine if additional action is necessary. Based on the low prospective risk, no additional work is necessary at this time. However, we request that the analyst notify the examination unit if

Appendix A Prospective Risk Identified downgrades, causing the company to be unable to sell its products. Branded Risk Risk Mitigation Strategies determine its economic and rating agency capital needs. Corroborating Evidence and Documentation appears to be meeting its benchmarks w/o/e (see A.1.4). Obtained and reviewed the economic capital calculation at 12/31/XX, noting that rating agency considerations are included in the process and that the company appears to hold capital in excess of the calculated amount. See A.1.5 for more information. Prospective Risk Assessment appropriate controls and strategies in place to maintain strong ratings. As such, a Low prospective risk is deemed appropriate. Ongoing Examination Procedures and Follow-Up a future rating downgrade occurs so that the units can collaborate regarding actions to be taken (e.g., limited scope exam) at that time.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information