NAIC risk-focused examinations have been evolving over the years with 2017 focusing on: Critical risks, corporate governance, enterprise risk management (ERM), third party / vendor risk management (VRM) and cybersecurity. The risk-focused examinations conducted by your state regulator in accordance with the National Association of Insurance Commissioner’s (NAIC) Financial Condition Examiners Handbook are now on their second round, which offers an opportunity for most insurers to leverage prior examination experience and ensure value is obtained from the time committed to compliance.
Understanding how to increase the effectiveness and manage the efficiency of your next examination starts with understanding its purpose.
The primary purpose of a risk-focused examination is to review and evaluate an insurer’s business processes and controls, including the quality and reliability of corporate governance and assistance in assessing and monitoring its current financial condition / prospective solvency. As part of this process, the examiner identifies and evaluates risks that could cause an insurer’s surplus to be materially misstated, both currently and prospectively.1 On the first round of risk-focused examinations, mostly with 2008 to 2011 year-end dates, the examination themes were to identify as many risks as possible, develop the risk matrices, focus on internal controls and risk mitigation strategies, and touch on corporate governance and ERM issues.
Unfortunately, the process was more costly and time-consuming than expected because of the learning curve and increased use of contractors. However, this work paved a roadmap for thinking about prospective risks, increasing leverage of external and internal auditors, and focusing on the key risks at the organization, taking a prospective view and moving away from a “rear view mirror” approach. As NAIC and regulators refined the approach from lessons learned and industry feedback, there came the focus on critical risks and modifications to examination processes.
During your upcoming examination, state examiners will be referencing critical risks. A key step to preparing for the new process is to identify your organization's critical risks mitigation strategies and have a mapping ready for the examiner's consideration. Examiners can leverage the risks identified and work performed on the prior exams which can lead to efficiencies and potentially reduced costs. The mapping does not have to be exhaustive, and it can also be utilized to prepare executives for the interviews conducted by the examination team. The critical risk areas with high-level considerations consist of:
Valuation / impairment of complex or subjectively valued invested assets
Do you have a documented and consistent process in place for hard to value assets and impairment determination?
Are there processes and cash management strategies in place to ensure that current contractual obligations (within two years or less) can be met? Can funding be obtained or assets liquidated without incurring unacceptable losses?
Appropriateness of investment portfolio and strategy
Is the investment portfolio and strategy appropriately structured to support the organization's ongoing business plan? Does an investment policy exist that addresses asset diversification, quality, maturities and risk / reward considerations, which could impact the insurer’s vulnerability to future market fluctuations and impairments?
Adequacy of reinsurance program
How does the organization ensure the reinsurance strategy is appropriate to support its ongoing business plan and whether adequate coverage is in place to address the insurer’s risk exposures (e.g., catastrophe risks, morbidity risk etc.)? What documentation and processes exist indicating review of the quality of reinsurance counterparties, types of coverage in place, associated limits, net retentions etc.?
Reinsurance reporting and collectability
What formalized and documented financial reporting controls exist to ensure that all reinsurance amounts are properly accounted for and reported? Is there adequate documentation and review for proper accounting and reporting / disclosure for risk transfer issues?
Underwriting and pricing strategy / quality
Has the organization established and implemented appropriate risk exposure limits and formal underwriting guidelines? What risk mitigating strategies exist to ensure there are adequate rates for the risks assumed under its policies and expense structure? How does the organization ensure and provide evidence that these strategies and practices are consistently applied across the distribution channels?
Does evidence exist to support that the underlying data utilized by the actuary in the company’s reserve calculations is complete and accurate?
This category may apply to various forms of significant reserves carried by an insurer including life reserves, incurred but not reported (IBNR) reserves, case reserves, loss adjustment expense (LAE) reserves, policy reserves, premium deficiency reserves etc. Do you utilized a credentialed actuary or actuarial firm, and are changes in methodologies adequately supported? Is the IBNR process and determination consistently and adequately documented? Are the reserves recorded in the financial statements within a reasonable range of actuarially determined estimates?
Related party / holding company considerations
This category encompasses transactions and agreements arising from relationships with affiliates affecting the insurer’s ongoing solvency position. Do risk mitigation strategies, processes and adequate documentation exist to ensure review for inequitable contract provisions, the impact of guarantees, contagion risks extending from holding company operations, intercompany tax issues, etc.?
Does the organization have formalized and adequate processes to assess, manage and maintain sufficient capital to sustain its business plan and solvency position? Is there periodic forecasting of capital needs and is there access and / or plans for additional funding if needed?
The identification and testing of critical risks are key to the current examination process, and with planning and communication to your regulator during the exam, you can affect the timeliness and efficiency of your exam. Identify your organization's processes and risk mitigating strategies to address each critical risk area, and proactively communicate critical risks falling outside the areas noted above to ensure the examination team is spending time on areas that matter to your organization.
The Corporate Governance Annual Disclosure (CGAD) Model Act and CGAD Regulation have been slow to be adopted by most states. However, adoption is moving along as 18 states have adopted or have under consideration the CGAD Model Act while 7 states adopted or have under consideration the CGAD Regulation as of Feb. 22, 2017. Insurers will be expected to provide more detailed information related to determination and assessment of overall corporate governance to their commissioner. For those states that have not adopted, the examination team will still be conducting interviews of senior management and board of directors assessing information such as:
Board size and structure
Includes duties, committees, the roles of CEO and board chairman, the qualifications and experience of board members, how an appropriate level of independence is maintained and how the board evaluates its own performance
Senior management policies and practices
Includes practices in place to determine the suitability of the background and experience of persons in key control positions, a code of conduct and ethics, and succession planning
Senior management compensation programs and performance evaluation
Includes how risk management is a factor in compensation and how the organization ensures that compensation programs do not encourage and / or reward excessive risk taking
Board oversight of critical risk areas
Includes the risk management processes, cybersecurity, actuarial function, investment decision-making processes, reinsurance decision-making processes, business strategy / finance decision-making processes, compliance function, financial reporting / internal auditing and market conduct decision-making processes
In addition to the information that may be discussed above, a normal agenda for your upcoming c-level interviews may include obtaining an understanding of the following:
Examiners on the second round of risk-focused examinations will be spending more time reviewing and assessing your enterprise risk management (ERM) functions. Based on the size, complexity and nature of your operations, some of your ERM practices may be informal. Even for smaller to mid-sized insurers not required to comply with Own Risk and Solvency Assessment (ORSA) reporting (i.e., those with $500 million or more of direct written premiums / revenue subject to certain adjustments), regulators will be expecting more formal documentation of risks and risk mitigation strategies, a clear description of your enterprise risk management processes and evidence to support your risk mitigating strategies.
If you are not required to comply with ORSA, you can start preparing now and gathering information related to your current ERM program. Establishing an ERM program that is maintained, fits your culture and is actionable is an ongoing process requiring buy-in from all levels within the organization. Therefore, do not take a cookie cutter approach but rather be aware of your processes, even if informal, and gather the information in a succinct manner so the examiners can still understand and evaluate your ERM program.
Vendor and third-party risk identification and management is currently an industry hot topic, and regulators are following suit in their review, risk identification and determination of insurer VRM adequacy. A detailed review is being conducted as part of the IT examination, as well as part of the overall assessment of risks by the examination team. If your organization utilizes outside vendors, you should have a clear understanding and communication to the examination team of how your organization manages and monitors those vendors. In addition, Statement on Standards for Attestation Engagements (SSAE) No. 16 Reports, also known as Service Organization Controls (SOC 1), should be readily available for those third parties providing services that affect financial reporting. (Please note that SSAE No. 18, effective May 1, 2017, will replace the guidance from SSAE No. 16 for SOC reporting.)
The examination team will be expecting that not only do SOC 1 reports exist for your third-party vendors, but that they are also reviewed and user control considerations are addressed and documented as well. In addition, the examination team will be reviewing and requesting information related to VRM risk identification process, identification of fourth party vendors (e.g., those third parties utilizes by your third parties) and how their controls and risks are assessed. Aligning your risk management process to your organization's culture and strategy is a best practice for consideration that could someday be the expectation by your regulator for your VRM program.
Your state examination team may determine there is a significant amount of exposure to cybersecurity risks. The specific risk exposure may vary based on volume, type of sensitive information (e.g., Social Security numbers, protected health information, personally identifiable health information, etc.) and the broad security environment in which the organization is operating. However, it should be understood by your examination team, and through guidance from the examiners handbook, that your organization is not required to use any particular IT security framework nor are your IT security systems or controls required to include all of the components of any single or particular IT security framework. Size and complexity of your operations and the nature / scope of its activities should be a primary driver to the examination considerations, the level of review and expectations for formalized processes and controls.
As part of the updated initial requests, the IT examiner may ask for you to provide a description of the types of sensitive information that is maintained or accessed by the company and the approximate amount of records containing each type of information. For each type of sensitive information, provide the number of outside vendors who have access to or maintain sensitive information. In addition, according to the handbook, some (i.e., but not all inclusive) procedures specific to the cybersecurity assessment that may be performed by the examiners include:
Interview of IT senior management
Verifying that an IT risk and control framework has been adopted throughout the organization and ensuring appropriate reports relating to adoption of the framework have been provided to the board of directors or a committee of the board appropriately
Review of training programs and schedules
Confirming that management and employees are provided with sufficient training to understand the importance of compliance with IT and cybersecurity policies
Assess security awareness
Evaluating the level of security awareness throughout the organization, including the awareness of the board of directors and senior management, as appropriate to their distinct roles
Review risk analysis
Assessing management’s awareness of risk analysis and risk profile reports, and if applicable, review and / or verify initiatives as a result of IT-related exposures and opportunities
Review of security event logs
Reviewing the security event logs to ensure network activity is being properly monitored. This should include consideration of activity generated by third party service providers. Note that the extent of testing, and associated requests, should be focused on material events. Procedures performed may include consideration of the manner in which management classifies events to determine that material events are appropriately identified
Verify forensic investigation procedures exist
Reviewing the company’s computer forensic investigation procedures and confirming whether the company’s procedures follow a process of identifying, preserving, analyzing and presenting digital evidence in a manner that is acceptable in any legal proceedings (i.e., a court of law)
Communication of post-remediation results
Verifying the communication of the results of post-remediation analysis to management and the board of directors / board committee
You can reference Baker Tilly’s cybersecurity webinar for additional information and best practices that may be helpful to consider prior to your next exam.
If you are responsible for actively managing your next examination, preparing your company to proactively address critical risk areas, corporate governance and ERM, vendor management and cybersecurity risks may help you see more value from the examination process. Conducting your own mock examination or hiring an industry specialist to assist in preparing you for your next examination should also be considered. It may lead to greater efficiencies and also identification of potential examination findings before your examination begins, allowing you adequate time to remediate them. We have seen from our own examination experience that how well prepared a company is can have a direct correlation to the efficiency and cost of an exam.
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.
1 National Association of Insurance Commissioners. Financial Condition Examiners Handbook (2016).