Managing Director & Senior Partner; Global Leader, Risk & Compliance Practice
Long an afterthought for most companies, compliance risk management—in financial services generally, and in the insurance industry specifically—is becoming a strategic function at the core of multiple business processes as diverse as new-product development and financial reporting. A comprehensive study by BCG of chief compliance officers (CCOs) and business executives in the insurance industry shows that this trend is set to continue.
Following the 2008 financial crisis, compliance in banking underwent a fundamental transformation as lawmakers and regulators in North America and Europe placed a host of new requirements on financial institutions. Regulatory activity today, especially in Europe, suggests that the insurance industry is facing a similar situation. Many companies view increasing compliance requirements as simply another burden on an already heavily regulated sector. Smart insurers, however, see opportunities to differentiate themselves with customers and consumers and even to establish competitive advantage.
Our study of compliance in the insurance industry assessed current risks, the state of governance and organization in insurance companies, and today’s compliance processes and methodologies. In this article, we summarize our findings, analyze the shifting compliance environment, and consider what that shift means for the insurance industry.
A number of factors are compelling compliance risk management from backwater to boardroom:
But perhaps most important, new business models and strategic imperatives require more-active management of compliance risks. For example, a growing focus on customer needs puts an emphasis on customer protection, including product design and transparency as well as distribution. Digital sales models raise new and more complex concerns over financial crime and buyer verification. And the increasing use of big data demands that privacy and data protection requirements be addressed for an ever-growing body of information.
These and other developments necessitate a compliance function that is much more active, sophisticated, and robust than the ones that most insurers currently have.
Our study consisted of in-depth interviews with CCOs and other senior managers at 17 insurers, including global and regional companies, in eight countries. Among other things, we asked these executives to rank the importance of various risks today. (See Exhibit 2.) Client and data protection and financial crime emerged as the two most critical risk categories in our sample for both global and regional players, with an average ranking of 3.0 on a scale of 0 to 5. Market integrity and professional ethics were seen as less relevant, with average rankings of 2.5 and 2.4, respectively.
Within the category of client data and protection, “mis-selling” and fiduciary risk, privacy and data protection, and product adequacy and disclosure are seen as the most critical risks. “My sentiment is that the industry is not doing a good job in screening customer data; the risk is high,” said one senior executive. “Sales force mis-selling is a critical risk for our group, and it will be even more critical in Europe with MiFID II [the European Union’s Markets in Financial Instruments Directive],” said another.
Within financial crime, anti-money-laundering (AML) risks are seen as the most critical. We expect the repercussions of financial crime (especially AML and related sanctions) to become an even more significant factor, as the banking industry has already experienced. As one member of our panel put it, “Money-laundering risk must be tackled in a tailored way, region by region, to be effective while minimizing costs.”
Compliance risks should be managed by the part of the organization that takes the risks. What’s more, that management is inherently ineffective without the strong involvement of business functions. Mitigation of compliance risks is primarily a frontline responsibility. Thus, company executives and their staffs are the first line of defense against poor or inadequate risk management.
The compliance function, along with other control functions, should support business by providing standards, methodologies, and policies. Compliance is the second line of defense, and, as such, it should coordinate risk assessments and provide guidance for designing controls and defining mitigating actions.
The audit function is the third line of defense. It should provide independent assurance about the adequacy of the framework for compliance risk management.
The compliance function itself should have the following key elements:
To make sure that roles and responsibilities are clearly delineated, the compliance function’s mandate and scope should be differentiated from those of the legal and operational-risk functions. With regard to compliance risks, the legal department should provide advice on current and new regulations, as well as judiciary practices. The operational-risk function should maintain oversight of nonfinancial risks, focusing on internal processes and procedures, people, and systems; identifying and measuring risks; and applying a common approach across all functions, including compliance. Compliance should take the lead on more-specialized activities, such as supporting the business function on definition policies regarding controls, taking mitigating actions, and supporting the operational-risk function on the qualitative element of risk assessments. Splitting responsibilities between the operational-risk and compliance functions on the sole basis of a risk taxonomy definition, as discussed in the following section, has proven difficult for many companies because implementing differences in day-to-day activities can result in inconsistent methodologies, processes, and outcomes for similar risks.
At the base of any compliance methodology, insurers must establish a structured risk taxonomy that is integrated with operational risks. If compliance risks cannot be clearly described, they cannot be measured, managed with appropriate mitigating actions, or reported within the organization in a consistent and coherent manner. Our survey findings suggest that while most insurers identify compliance risks at both the group-wide and local levels, few align their compliance risk taxonomies with operational risks. As the CCO of one regional insurer told us, “We manage data privacy, and risk management manages data protection separately, despite great similarities between them.” The result is a potential duplication of processes and, possibly, different assessments of risks that are similar or even identical to one another.
Risk assessments that prioritize risks on the basis of objective evidence, expert opinions, and business feedback are the first pillar of comprehensive compliance risk management. They provide a clear view of the risks and the processes that the risks threaten. In our experience, however, too many insurers view them as “gap assessments” focused only on regulatory requirements.
Risk assessments should be used to measure the risks underlying each regulation and should be based on an in-depth understanding of each insurer’s business model. They should provide clear guidance on where to focus remedial actions and controls. The board of directors, executive managers, and business functions should be actively involved, and the compliance function should provide support and guidance regarding methodologies.
Most insurers today perform traditional bottom-up assessments, which are time-consuming exercises, especially when they need to be completed for multiple business units, legal entities, and processes affected by a broad set of regulations. The bottom-up approach typically does not prioritize risks before the assessment, so the subsequent efforts neither focus on the most significant risks nor facilitate executive decisions on risk mitigation.
In a top-down risk assessment, however, CCOs engage boards and top management to identify and prioritize the most important risks arising from current and new regulations with a very simple and high-level risk taxonomy that includes no more than 20 risks. Together, they determine the business processes in which these risks are particularly relevant and discuss the impact of new strategic initiatives on the compliance risk profile.
Not only do top-down assessments require less time and effort, but they also serve as a much more effective tool with which insurers can:
More advanced insurers are also developing so-called compliance risk appetite frameworks that embed shareholders’ appetite for compliance risks into their risk assessments. The boards of these insurers, supported by the CCO, set tolerance limits for compliance risks that are linked to the results of compliance risk assessments. The CCO of a global insurer describes his company’s approach this way: “We draw a risk map with the inherent risk on one axis and the controls environment on the other axis, which gives us a very good view of the positions of the different risks. Then we compare the positioning of each risk against our risk appetite framework to identify priorities and the risks to focus on.”
Such companies are enforcing their “zero appetite” philosophy for noncompliance with regulations by establishing a clear appetite for the risks related to the regulations. Since compliance risk levels can never be reduced to zero, understanding that such risks can only be mitigated helps to set priorities and maximizes the efficacy and efficiency of mitigating actions.
For most insurance companies, managing compliance risks means having a solid controls system in place. But effectiveness is often equated with comprehensiveness, when in fact the actual effectiveness of such systems depends much more on prioritizing and focusing on the critical risks, employing a lean and efficient design, and positioning the controls upstream in business processes to avoid costly loops and duplications. The experience of the banking industry is instructive in this regard. In the wake of the 2008 meltdown, controls and FTEs exploded, along with the investments required to manage them—but increases in compliance levels did not necessarily follow.
Insurers should rigorously review their controls framework, updating guidelines and policies, understanding risk factors, reviewing controls objectives and risk indicators, and rationalizing controls activities. We have developed a framework of best practices based on our study. (See Exhibit 3.) One of the key concepts is to link the strength and number of controls to the level of residual risk measured by the risk assessments so that controls are focused on the areas in which the perceived residual risk is significant.
Insurers can help top executives and members of the board to focus on and understand risk management by synthesizing the overall risk profile into a few figures—the key risk indicators (KRIs) of compliance. The most difficult challenge is to merge different metrics and qualitative information into a KRI number. The first step is to define the “risk tree,” which encompasses all the drivers that contribute to the risk indicator. Once the risk tree is defined and agreed upon by the board and top management, the compliance function can find an appropriate way to measure and compare each of the drivers and then build the overall indicator into a useful reporting tool.
Managing compliance risks goes beyond controls and reporting. Our study highlighted three strategic actions that companies should take to transform compliance from a burden into a source of competitive advantage.
Involve the board. Companies should actively help boards of directors to better understand compliance risks and their impact. At more than 75% of the insurers that we interviewed, board committees (such as risk, control, and audit) meet at least quarterly to discuss compliance topics. CCOs, however, are invited to these committee meetings only on an ad hoc basis to discuss current issues or to present periodic reports. Very few CCOs are actively involved in strategic discussions of compliance risk profile and regulatory strategy.
Changing this approach is not an easy task. CCOs highlighted several common issues that need to be addressed, including limited board knowledge of compliance topics, the difficulty of translating technical compliance concepts into simple messages that focus on taking action, and uncertainty about the type of information to be reported at the board level. To handle these issues, a number of leading companies are launching training programs for board members, including self-assessments and regulatory inductions. Such sessions are already common in banking.
Embed compliance in insurers’ strategic-planning processes. Forward-looking management of compliance is critically important for insurers, but only about 15% of insurers raise compliance risk management to the level of strategic planning. These tend to be the companies with top-down risk assessment processes in place. Such assessments help to embed compliance thinking into the strategy of the company and the main strategic initiatives launched by the businesses. For example, the European Union’s Insurance Distribution Directive II is bringing fundamental changes to the relationship between insurers and their intermediaries and requiring new levels of information disclosure to customers, both of which raise key strategic questions. A best-practice compliance risk management approach would incorporate the expected changes from the new regulations into the distribution strategy and use new information requirements as the basis for developing innovative products targeting specific customers with focused marketing campaigns.
Make the necessary investments. Insurers need to allocate the required budget to ensure that their compliance risk management framework stays current with regulatory requirements and to integrate compliance into business strategy. CCOs outlined three main areas for investment:
Each insurance company starts with different compliance capabilities, processes, and methodologies. And each will need to contend with varying degrees of complexity, depending on the insurer’s size, footprint, and business mix. All companies need to assess their readiness for upcoming challenges and build more robust models if required. Most will benefit from taking the following steps:
Regulatory changes and emerging business models are transforming compliance risk management from a formal exercise to a top concern for insurers. Awareness of compliance risks has risen dramatically, and as our study shows, many companies have already started the journey toward structured, business-driven, and forward-looking compliance risk management practices. There is still significant work to be done. Those that tackle the challenges and move quickly to establish best practices in their organizations will reap the rewards of leadership and competitive advantage.