Strengthening governance, risk and
compliance in the insurance industry
An Economist Intelligence Unit report
Sponsored by SAP
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
Preface
Strengthening governance, risk and compliance in the insurance industry is an Economist Intelligence Unit
report sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this report. The
Economist Intelligence Unit’s editorial team conducted the interviews and wrote the report. The findings
and views expressed in this report do not necessarily reflect the views of the sponsor. Dan Armstrong was
the editor of the report and Mike Kenny was responsible for layout and design. Our thanks are due to all
of the survey respondents and interviewees for their time and insights.
February 2009
1
Strengthening governance, risk and
compliance in the insurance industry
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
I
nsurance companies have long struggled to gain greater efficiency and transparency in their financial
processes through automation and process redesign. Their efforts have generally been focused on the
negative goals of controlling costs, reducing sudden financial shocks and avoiding regulatory sanctions.
However, some companies are discovering that a more integrated approach to managing financial
processes can be a source not only of efficiency but also of strategic advantage.
Many companies are aiming at achieving that added value through governance, risk and compliance
(GRC) initiatives, which embed rules, processes and controls in keeping with a carrier’s operating policies
and strategic objectives. These measures provide greater transparency into day-to-day operations, help
to identify potential risk exposures, and enable companies to react in a timely fashion to emerging risks.
GRC is characterised by efficiency and accuracy, but can also add the dimension of providing a synoptic
picture of risk to support strategic decision-making.
That sort of insight has become suddenly much more important in 2009, in the wake of a financial
crisis that could just as accurately be termed a risk management crisis. While strict solvency requirements
helped the insurance industry to weather the crisis better than their counterparts in banking and
securities, some insurers did encounter unforeseen exposures in their investment portfolios, the
consequences of which are yet to be fully realised. There is little question that many insurers lacked the
capability to develop a comprehensive picture of risk exposure at a corporate level, comprising credit,
market and operational risk.
Moreover, insurers operating in the European Union face challenges stemming from the updated set
of regulatory requirements known as Solvency II. The Supervisory Review Process of Solvency II aims to
identify institutions with financial, organisational or other features that result in a higher risk profile.
Because the authorities will review financial processes as well as governance and capital reserves, it will
be necessary to know who know who participates in each process, what the person does, and the results of
the process.
The problem with autonomy
Achieving a unified enterprise view of financial process remains an almost quixotic goal in much of the
insurance industry because of the operational autonomy of business units. Even in companies that
enjoy a high degree of process automation, consistent use of practices and tools across the enterprise
2
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
Figure 1: Insurers struggle with complexity, inconsistency and incompatibility
What are the biggest problems with your current financial processes? Select up to three.
(% respondents)
Complex procedures which are difficult to model or automate
36
Inconsistent methodologies around the organisation
36
Incompatible technology (eg, customised spreadsheets, databases and commercial products)
33
The need to reconcile inconsistent or redundant data from multiple sources
33
Boundaries between departments, with departmental managers trying to hold on to authority
29
Too many manual processes
29
Controls which are too numerous or restrictive
21
Portions of the process depend on individuals who are not always available
19
Lack of visibility and accountability
16
The need to document audit trails
12
Other
5
Source: Economist Intelligence Unit survey, 2009.
is rare. As Figure 1 shows, insurers struggle with complex procedures, inconsistent methodologies and
incompatible technology. In order to produce a complete financial picture on which to base decisions,
survey respondents report the need to reconcile inconsistent or redundant data from disparate sources.
To some degree insurers are more concerned about the risks of improving their processes than the
risks those processes can reveal, as illustrated by Figure 2. Nearly half of the respondents cited high
cost as a barrier to standardising and automating financial processes. They also reported difficulties
caused by the complexity of modeling financial process and the incommensurability of regulatory
regimes within different lines of business. Responses also showed that the siloed organisational
structure of insurance companies made securing buy-in from line-of-business managers more difficult
than corporate-level leadership.
Securian Financial, a $2.8 billion US life insurer based in Minnesota, eased its transition to an
economic capital-based approach to risk management by enlisting business managers into working
About the survey
In 2008 and early 2009, on behalf of SAP, the
Economist Intelligence Unit surveyed 446 senior
executives from ten industries about their views on
their financial processes and their attempts to improve
them. Of this total, 58 came from the insurance
industry (both life and property and casualty). It is
these insurance executives upon which this paper is
based. Of these respondents, 30% hailed from Europe,
25% from North America and 20% from the Asia/Pacific
region. Over half worked for companies with annual
revenues in excess of $1bn. One-third have positions
in the C-suite and another 24% came from the VP level
or higher. Most respondents served in the finance,
risk management, strategy, business development or
operations functions.
3
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
Figure 2: Insurers want to improve data integrity and cut back on manual processes
What would be the biggest benefits of an initiative to standardise and automate your financial processes? Select up to three.
(% respondents)
Enhancing data integrity
50
Cutting back on manual processes, decreasing risk of error
48
Freeing staff from routine number-crunching, redeploying into higher-value activities
43
Meeting compressed deadlines/improve response time
34
Reducing costs
24
Better visibility into origin of numbers and how they are calculated
17
Standardisation of methodologies around the enterprise
16
Higher productivity
16
Able to set risk thresholds, data access and other controls centrally
12
Better compliance with regulatory requirements
10
Able to identify and resolve bottlenecks
9
Fewer opportunities for fraud
3
Other
2
Source: Economist Intelligence Unit survey, 2009.
groups on key topics. “Our approach was to work with them to achieve ‘quick wins’ demonstrating the
advantages of the new way of measuring risk and value,” says Vice President and Chief Actuary Leslie
Chapman. “For example, we formed an asset/liability management group. We have found that by having
every business line actively engaging in dialogue has help drive buy-in.”
Chapman credits a combination of corporate risk management culture and the power of automation
in enabling Securian to more precisely measure and project risk exposure. By building a platform
allowing a view of risk from an economic capital perspective, the company is able to see the impact
of decisions from multiple perspectives, which simultaneously enables more secure and more
opportunistic management of risk.
“We have enhanced our financial processes and reporting over the years so that we can spend less
time quantifying and more time analysing,” comments Chapman. “We couldn’t do this at all without
automation. But the value is multiplied as we get faster, enabling us to spend more time on decisionmaking, which results in higher-quality decisions.”
Securian is clearly not alone in its appreciation of the potential benefits of more automated financial
processes as demonstrated by survey respondents’ reports of the benefits their companies have enjoyed
(Fig. 3). Respondents say that higher levels of automation have yielded faster processes with fewer
errors while at the same time requiring less staff to manage them. By embedding risk assessments
into financial processes, two-thirds of respondents’ enjoyed greater efficiency and over 80% reported
higher-quality decisions.
4
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
Figure 3: Insurers say automation yields greater speed, lower costs and better decisions
Percentage reporting increase as a result of process automation
Percentage reporting decrease as a result of process automation
Number of poor-quality decisions
Audit costs
Control errors
Time required
Headcount
-70
-60
-50
-40
-30
-20
-10
0
10
20
Source: Economist Intelligence Unit survey, 2009.
Despite these successes, very few insurers have overcome either the cost and difficulty barriers to
achieving enterprise GRC capability. Few companies have developed the discipline of balancing asset
and liability risk and tend to manage these portfolios independently. Most insurers continue to manage
“through the rear-view mirror,” attempting to predict the future solely on past performance, often on
the basis of stale reports. Few companies can produce accurate, near-real-time information to support
decision-making, and fewer still have mastered scenario analysis and regular risk stress-testing. While
insurers have become very comfortable with many tools and technologies within operational silos, the
industry at large has not invested in the capabilities needed to correlate all of its risk exposures and track
their interdependencies.
The value of aligned processes
While manual processes present opportunities for error, slow the distribution of vital information
and keep executives from higher-value tasks, the dichotomy of good versus bad management is more
important than that of manual versus automated processes. Automation is key to competing at an
accelerated pace of business. But sound manual practices reveal the full potential of GRC. In any case,
successful GRC initiatives will not mean the total abolition of manual processes.
“I am less concerned about manual processes than having an aligned approach to risk management
across the overall organisation,” observes Axel Lehman, chief risk officer of Zurich Financial Services,
a $55 billion company that does business in more than 170 countries. “Whether I get risk reports from
Japan or South Africa, I want to know that like risks are reported in the same way.”
That degree of uniformity is impossible without a commitment to risk management as a corporate
priority from top management. From the management level, risk culture must be instituted throughout
every level of the organisation, in order to fully understand risk both at local and corporate levels.
“Companies need risk aggregation capabilities in place that allow them to look at risk in an aggregated,
enterprise-wide view,” comments Lehman. “One of the essential lessons of the financial crisis is the need
for a holistic view of risk.”
Risk management begins at Zurich with a board risk committee, followed by the CEO, who is ultimately
5
Strengthening governance, risk and
compliance in the insurance industry
© Economist Intelligence Unit Limited 2009
responsible for risk management. As chief risk officer, Lehman shares risk management with other
members of the executive team, who in turn work with business unit leaders, who are responsible for
observing risk management procedures and standards while retaining the independence they need to
function as business managers.
Zurich has implemented a Risk Modeling Platform with the ability to tap into other information systems
and reconcile information. That gives the insurer the ability to understand local risks and aggregate them
up through various levels of the organisation. Zurich has also instituted what it calls Total Risk Profiling,
which identifies and records risk at all levels of the organisation, and it has implemented an economic
capital framework to project return on risk-based capital in the company’s strategic decision-making.
Too often insurers limit their risk management activities to the negative goals of protection,
reducing earnings volatility, protecting the capital base and otherwise insulating the franchise from
negative surprises, Lehman believes. He regards that approach as necessary but not sufficient. “Risk
management in a well-managed company is used to support profitable risk-taking and growth,” he
says. “It is not only about being aware of the risk exposure, but strategically shaping the risk/return
profile of the organisation.
6
© Economist Intelligence Unit Limited 2009
Strengthening governance, risk and
compliance in the insurance industry
Conclusion
I
nsurance companies were among the original adopters of information technology, and their actuaries,
underwriters and accountants have demonstrated interest and even mastery in the use of a broad
range of technological tools in recent times. However, the traditional independence of business lines
and the functions within them have contrived to render the insurance industry a laggard in process
automation even in the core functions of governance, risk management and compliance that have special
importance in a highly regulated industry dedicated to the profitable transfer of risk. Moreover, when
insurers have adopted technology to upgrade governance, risk and compliance processes, the focus has
been on reducing costs and increasing efficiency rather than providing an integrated picture of risk to
support better decisions. Cost reduction is still a compelling argument for moving forward, especially in a
stagnant economy. But the less heralded benefits—which ultimately may be more important—have to do
with improving the quality of decisions.
Companies have managed to be profitable despite their dependence on manual processes, but as the
pace of business accelerates, the speed and efficiency afforded by automation becomes more important.
Even more important is the need to have an enterprise-wide picture of risk and the ability to identify
and react to emerging risks. Risk is opportunity for insurers, but they need a tighter grip on their overall
portfolio of risk with the emergence of new and imperfectly understood risks, such as those associated
with the financial markets, rapid change in laws and regulations, information security vulnerability,
climate change, political instability and terrorism.
An example of how financial process integration can generate returns rather than simply reduce costs
might be the effort by property and casualty insurers to target home and auto insurance policies by
location. Underwriting guidelines have long distinguished among risks in different postal codes. Adding
precise elevation data by latitude and longitude allows insurers to go further and target, for instance,
high-elevation addresses in a postal code dominated by a flood plain. Similarly, a life insurance company
might be able to quickly model and price the actuarial effects of, for instance, a widespread outbreak of
avian flu. Companies that integrate risk, pricing, location and sales activities should be able to “cherry
pick” high-margin, low-risk underwriting opportunities.
Ultimately risk management is about management, not modeling. In the end, technology supplies
input for decision-making, not the decisions themselves. Nevertheless, with a holistic implementation
of GRC, governance risk and compliance are consistently defined, closely linked and embedded
throughout the organisation through end-to-end processes and controls. Well-designed automated
processes efficiently integrate financial reporting, compliance and risk monitoring into daily operations.
Furthermore, they afford greater ease of modification, giving insurers the ability to react to changes in
the marketplace. Finally, they not only reinforce the protective aspects of risk management but they also
provide the basis for strategic risk management as an engine of profitability.
7
Appendix
Survey results: Insurance
respondents only
Economist Intelligence Unit 2009
Strengthening governance, risk and
compliance in the insurance industry
Appendix
Survey results: Insurance respondents only
What would be the biggest benefits of an initiative to
standardise and automate your financial processes?
Select up to three.
What are the biggest problems with your current financial
processes? Select up to three.
(% respondents)
(% respondents)
Complex procedures which are difficult to model or automate
36
Enhancing data integrity
36
Cutting back on manual processes, decreasing risk of error
Inconsistent methodologies around the organisation
50
Incompatible technology (eg, customised spreadsheets,
databases and commercial products)
48
Freeing staff from routine number-crunching, redeploying
into higher-value activities
33
The need to reconcile inconsistent or redundant data from multiple sources
43
Meeting compressed deadlines/improve response time
33
Boundaries between departments, with departmental managers
trying to hold on to authority
34
Reducing costs
29
24
Too many manual processes
Better visibility into origin of numbers and how they are calculated
29
17
Controls which are too numerous or restrictive
Standardisation of methodologies around the enterprise
21
16
Portions of the process depend on individuals who are not always available
Higher productivity
19
16
Lack of visibility and accountability
Able to set risk thresholds, data access and other controls centrally
16
12
The need to document audit trails
Better compliance with regulatory requirements
12
10
Other
Able to identify and resolve bottlenecks
5
9
Fewer opportunities for fraud
3
Other
What would be the biggest drawbacks of an initiative to
standardise and automate financial processes?
Select up to two.
2
(% respondents)
High level of investment required
47
Difficulty of getting buy-in from business lines/regions
28
Difficulty of modeling complex financial processes
26
Multiple regulatory regimes make compliance rules unique
by business and/or region
24
Difficulty of getting buy-in from senior management
21
Organisation is too diverse in its business lines
17
Business model and operations are unique
14
Financial processes are sufficiently fast, efficient and accurate now
7
8
Economist Intelligence Unit 2009
Strengthening governance, risk and
compliance in the insurance industry
Appendix
Survey results: Insurance
respondents only
In the past five years, which of the following tasks has your organisation attempted to address by improving
its financial processes? Select all that apply.
(% respondents)
Increase level of automation for processes in general
76
Prioritise controls based on risk assessments
50
Increase level of automation for internal controls
48
Realign segregation of duties
43
Reduce redundancies
34
Other
3
We have not attempted to improve our financial processes
2
What improvements, if any, have resulted from these attempts? Increase level of automation for processes in general
(% respondents)
Much higher
Higher
No change
Lower
Much lower
Don’t know
Headcount
7
11
32
48
2
14
2
Time required
2
11
14
57
Control errors
7
7
16
56
9
5
Audit costs
5
9
43
25
5
14
7
14
Number of poor-quality decisions
2
7
25
45
What improvements, if any, have resulted from these attempts? Increase level of automation for internal controls
(% respondents)
Much higher
Higher
No change
Lower
Much lower
Don’t know
Headcount
4
19
31
42
4
Time required
19
19
48
15
0
Control errors
19
11
44
22
4
Audit costs
4
11
44
22
7
11
Number of poor-quality decisions
8
20
48
8
16
What improvements, if any, have resulted from these attempts? Reduce redundancies
(% respondents)
Much higher
Higher
No change
Lower
Much lower
Don’t know
Headcount
11
11
11
11
21
53
5
0
Time required
11
53
11
5
Control errors
6
11
17
56
6
6
Audit costs
6
11
50
17
17
Number of poor-quality decisions
6
28
39
6
22
9
Appendix
Survey results: Insurance
respondents only
Economist Intelligence Unit 2009
Strengthening governance, risk and
compliance in the insurance industry
What improvements, if any, have resulted from these attempts? Realign segregation of duties
(% respondents)
Much higher
Higher
No change
Lower
Much lower
Don’t know
Headcount
4
25
38
25
8
38
8
Time required
21
33
Control errors
22
30
39
4
4
17
4
5
5
Audit costs
22
57
Number of poor-quality decisions
5
55
32
What improvements, if any, have resulted from these attempts? Prioritise controls based on risk assessments
(% respondents)
Much higher
Higher
No change
Lower
Much lower
Don’t know
Headcount
21
59
14
7
Time required
28
28
41
3
0
Control errors
11
25
61
4
Audit costs
3
17
31
31
3
14
59
3
14
Number of poor-quality decisions
7
17
Does your organisation regularly include risk evaluations as part of its financial processes?
(% respondents)
Yes
79
No
17
Don’t know
3
What are the results of these risk evaluations?
(% respondents)
Much better
Better
No change
Worse
Much worse
Don’t know
Quality of decisions
11
72
17
Efficiency of processes
6
53
36
6
Prioritisation of controls
17
10
53
28
3
0
Economist Intelligence Unit 2009
Strengthening governance, risk and
compliance in the insurance industry
In which country are you personally located?
4
(% respondents)
Appendix
Survey results: Insurance
respondents only
In which region are you personally based?
(% respondents)
4
United States of America
20
2
Western Europe 30
United Kingdom
9
2
South Korea
7
2
Canada
5
2
Nigeria
5
2
Brazil
4
2
4
2
4
2
North America
25
Asia-Pacific
20
Middle East
and Africa
14
Latin America
7
Eastern Europe
4
China
India
Netherlands
4
2
Switzerland
4
What is your primary industry?
(% respondents)
2
Australia
2
2
Financial services 100
Belgium
2
2
Croatia
2
2
Czech Republic
2
2
Denmark
2
2
Germany
2
2
Ghana
2
2
Hong Kong
2
2
In which sub-sector of financial services does your
organisation belong?
2
(% respondents)
Hungary
2
Israel
2
Kenya
2
Insurance
100
2
Latvia
2
Mexico
2
Poland
2
Puerto Rico
2
South Africa
2
Spain
2
Thailand
2
Turkey
2
Zimbabwe
2
11
Appendix
Survey results: Insurance
respondents only
Economist Intelligence Unit 2009
Strengthening governance, risk and
compliance in the insurance industry
What are your organisation’s global annual revenues
in US dollars?
What are your main functional roles?
Please choose no more than three functions.
(% respondents)
(% respondents)
Finance
$500m or less
26
$500m to $1bn 19
45
Risk
40
$1bn to $5bn
16
General management
$5bn to $10bn
19
Strategy and business development
$10bn or more
19
34
29
Marketing and sales
16
Operations and production
14
Customer service
12
IT
7
Human resources
Which of the following best describes your job title?
5
(% respondents)
R&D
5
Board member
Information and research
2
3
CEO/President/Managing director
Legal
10
0
CFO/Treasurer/Comptroller
Procurement
16
0
CIO/Technology director
Supply-chain management
0
0
Other C-level executive
Other
5
3
SVP/VP/Director
24
Head of Business Unit
12
Head of Department
14
Manager
12
Other
5
Whilst every effort has been taken to verify the accuracy
of this information, neither The Economist Intelligence
Unit Ltd. nor the sponsors of this report can accept any
responsibility or liability for reliance by any person on
this white paper or any of the information, opinions or
conclusions set out in the white paper.
12
LONDON
26 Red Lion Square
London
WC1R 4HQ
United Kingdom
Tel: (44.20) 7576 8000
Fax: (44.20) 7576 8476
E-mail:
NEW YORK
111 West 57th Street
New York
NY 10019
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 1181/2
E-mail:
HONG KONG
6001, Central Plaza
18 Harbour Road
Wanchai
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail: