White Paper January 2012 The Risk Management Imperative Service organizations in the insurance and annuity industry have a responsibility to partner with their clients on risk management responsibilities for their activity, and to demonstrate to clients their commitment to build and maintain ongoing risk management best practices.
The Risk Management Imperative Introduction Managing and evaluating risk is integral to the life insurance and annuity industry. Virtually every activity a carrier engages in can impact the company s overall risk exposure. Protecting the relationships that carriers have with customers and agents, including their private and confidential information, is of particular importance. These risks inherent to the insurance industry are well understood by insurance professionals, and are often the source of concerns about outsourcing work or data to service organizations that may not have the same appreciation for these important relationships. Service organizations with roots in the insurance industry, however, hold a deep, long-term institutional understanding of the nature of these risks. These industrybased organizations understand the need to develop and offer strong risk-oriented controls and risk management best practices in conjunction with their services. Those that fully understand and appreciate these risk considerations are best positioned to successfully minimize them. Enterprise Risk Management Franchise Risk Regulatory Risk Service Processing Systems & Systems Development Intellectual Property Competitive Positioning Human Resources Risks Assessed Across the Organization Best-practice service organizations are focused on creating and maintaining strong, effective risk management procedures. Their objective is to allow insurance and annuity companies to safely and confidently take advantage of the cost-saving capabilities of the service organization model without adding undue levels of risk exposure. ( 3 ) ( 3 )
The Risk Management Imperative The Nature of Risk Doing business in the life insurance and annuity sphere involves an array of inherent risks. The varieties of operational risk include: Customer Relationships Data Management Data Security Customer Privacy Reputational and Financial A service organization that does not recognize, understand and address this situation will not satisfy the risk management concerns of the insurance carrier. It is the existence of these risks and an insurance professional s understanding of these risks that has traditionally been a point of resistance within the industry to utilize a service organization for administration of business processing activity. Despite the demonstrated efficiencies that service organizations can deliver, concerns about risk management have kept the insurance industry from the wholehearted embrace of this model that has occurred in many other financial services sectors, such as the mutual fund industry. Insurance and annuity companies that perform all business processing in-house maintain total control of the risk management process, and total responsibility for those risks. Assigning business-processing tasks to an external service organization cedes some level of control over risk management. This occurs in all phases of service organization administration activity: Conversion of business processing to updated platforms Creation of new products Ongoing administrative support This ceding of control occurs whether the service organization model involves outsourcing of work to new personnel, or processing data on software hosted by a service organization, or a combination of the two. Many risk management professionals view this loss of control as an inherent increase in risk, or as the addition of a new category of risk. A service organization that does not recognize, understand and address this situation will not satisfy the risk management concerns of the insurance carrier. To satisfy the legitimate risk management concerns of the carrier, service organizations must become partners in risk management. ( 4 )
That role can be competently and credibly filled by a service organization with demonstrated knowledge, expertise and experience in insurance risk management. The optimal solution occurs when the risk management function becomes a joint enterprise of the service organization and the carrier, focused on managing risks that have financial and reputation impacts and affect value drivers generated by service organization activities. To be most effective, this partnership effort must include transparency into the service organization s risk management procedures in order to build trust and confidence in the relationship. Service Organization Risk Management Best Practices Not all service organizations have the background and capability to design, implement and monitor risk management best practices. That requires a deep and thorough understanding of the nature of risk in the life insurance and annuity industry. At best-practice service organizations, an executive-level Risk Management Committee meets monthly to monitor controls; ensure sound policies, procedures and practices have been put in place; and assess the overall status of the risk environment. Best practices also require a commitment to employee training, and maintaining a corporate culture that emphasizes risk management as a companywide priority and the responsibility of each individual employee. To ensure that risk management processes are maintained, emphasized and constantly updated, best-practice organizations will embed these processes in their Enterprise Risk Management (ERM) programs. Objective Operational Risk Scoring Results Performed by se 2 Operational Risk Assessment Inherent Risk Operational Risk Assessment Residual Risk 3.98 5.88 Low 0 Moderate 4 High 7 Low 0 10 ( 5 3 ) Moderate 4 High 7 10
The Risk Management Imperative Based on their thorough understanding of the nature of insurance and annuity industry risk, best-in-class service organizations will look internally at systems and process to identify sources of risk. Procedure and design workflows are created to identify where controls are needed, and any identified risks are constantly monitored. Risk-aware organizations understand that a strong risk culture, tied to sound risk mitigation controls, not only minimizes risk, but also drives quality, accuracy and accountability in the management of client data. Transparency is another critical component of a best-practice ERM program. When service organizations share detailed documentation of risk management procedures and activity with their clients, that provides assurance that best practices are being maintained. In best-practice models, service organizations and their clients jointly design and implement a risk management protocol that: Considers end-to-end processes and risk controls as service processes and data move between both organizations Includes detailed diagrams of data flows and control mechanisms as processes and data move between clients and the service organization s systems Relies on client input and consultation on the final configuration of data flows and risk controls Provides full transparency with detailed exception reports provided on an ongoing basis, including descriptions of mitigation procedures Provides trend analysis and addresses continuous improvement activity Best-practice organizations are investing in automated reporting systems to monitor adherence to risk controls involving system-tosystem data movement and integrity. Such systems provide the ability to identify and flag errors and issues that arise during system integration points, both real time and during batch processing. These systems are designed to provide real-time dashboard reporting so that responsible parties can track the status of control issues to ensure they have been addressed and resolved. This allows management to immediately see exceptions and to utilize tools such as correlative analysis to identify and address the root causes of errors. In many companies, the root cause of a systems control issue can go undiagnosed for years. ( 6 )
These systems also help drive accountability by ensuring that all errors, identified exceptions and issues are tracked, and all unresolved items are brought to management s attention. Enterprise Risk Management Delivers Value Best practices in enterprise risk management deliver substantial value to both service providers and client carrier companies in the insurance and annuity industry. Fundamentally, such programs drive higher quality and accuracy into business processing activities, resulting in a high confidence in processing integrity, improved customer satisfaction and a positive business reputation. In addition, a shared responsibility for risk management by service organizations and client carriers, combined with transparency, results in strong risk control and yields a reduction in organizational stress, and all the benefits that entails. Finally, sound risk controls can result in lower customer service costs to the organization. ( 7 3 )
Making it happen. Find out what you ve been missing, at no risk to your enterprise. Contact se2 at contact@se2.com or 800.747.3940. 5801 SW 6th Avenue Topeka, KS 66636 800.747.3940 se2.com