Though America long ago achieved political independence, the financial crisis and the subsequent ongoing turmoil within the Eurozone are potent reminders that our economic inter-reliance with Europe has never ebbed. This intercontinental comity is also increasingly present in the regulatory code. Much as the advent of aviation has helped shrink the Atlantic, new rule-making initiatives are bridging once disparate regulatory regimes.
The largest exemplar of this trend toward global harmonization is the pending Solvency II requirements under development by the European Union. Due to be in force on December 31st 2012, Solvency II will require insurers to be explicit about their governance practices and require them to perform an Own Risk and Solvency Assessment (ORSA), an internal evaluation by an insurer to determine its risk profile.
For U.S.-based insurers, the focus on governance has become prominent in the wake of the financial crisis and its subsequent corrective measure, the Dodd-Frank Wall Street Reform and Consumer Protection Act.
Specifically, the Solvency II directive contains three pillars that house a broad range of requirements regarding internal audit, risk management and actuarial functions, as well as overall corporate governance. Pillar I is comprised of quantitative measures that demonstrate an insurer's capital adequacy, Pillar II concerns qualitative measures that provide evidence of an effective governance framework within an insurer, while Pillar III focuses on transparency and disclosure requirements.
Under Pillar II of Solvency II, corporate governance is defined as having of four core functions: risk management, actuarial, internal audit and internal controls. In its global outlook report for 2011, consultancy PWC stressed that insurers cannot disregard the amount of effort necessary to comply with Pillar II. "While most European insurers have been devoting the vast majority of their attention to Pillar I quantitative requirements, an increasing number are turning their attention to the requirements of Pillar II by enhancing their governance systems (ERM, Internal Audit, Compliance, and Actuarial) and developing a formal process for the (ORSA)," the report states.
Yet, European insurers aren't the only ones reacting to ORSA. To dovetail with the Solvency II and to comply with the Insurance Core Principles (ICP) of the International Association of Insurance Supervisors (IAIS), the National Association of Insurance Commissioners is crafting its own ORSA for U.S.-domiciled insurers. NAIC is creating its ORSA in an attempt to make sure the U.S. regulatory system is deemed functionally "equivalent" to the new Solvency II regime, thus enabling U.S.-based insurers to operate in the E.U. with fewer restrictions.
NAIC's move is not without controversy, and is drawing criticism from the American Insurance Association, which is charging that it is duplicative and unduly burdensome. Indeed, while the functional equivalency of the U.S. and E.U. may mean much to some European-owned U.S. insurance subsidiaries and U.S. insurers that operate internationally, regional insurers already stressed about meeting the requirements of state insurance regulators may well bristle at the prospect of having to satiate Brussels as part of a global shift toward regulatory modernization and harmonization.
GOVERN THYSELF
Yet, regulatory concerns are far from the reasons insurers are reassessing their governance and risk management structures. Speaking during a session at the Insurance Accounting Systems Association's Educational Conference and Business Show in June, Scott McEntee, controller at Farmers Mutual Hail Insurance Co., said the impetus for the enterprise risk management initiative he led at the firm was purely internal.
"We are a mutual company so we don't have to worry about SOX, the SEC or, hopefully, the model audit rule, so we are doing it for the right reasons," McEntee said. "Management has talked about an ERM program for the past few years and it finally came about two years ago."
McEntee said marshalling the wherewithal to get the program off the ground was challenging as the company had many other strategic initiatives under way at the same time. "We knew that we wouldn't have the resources to carry the ERM initiative through from a project management standpoint and we also knew that since it was such a new thing we didn't have the knowledge base we needed," he said. "So we went and got an outside vendor to help us out."
Once the consultant and proper software were in place, McEntee said a primary undertaking was constructing a risk matrix where risks are identified and ranked. Though he says ERM is largely a qualitative assessment of risk, some quantitative measures around risk appetite are essential. "Until you can quantify your risk appetite and develop the consequences you are willing to accept and what level you are willing to accept them at, it makes no sense to identify and rank individual risks," he said.
With the ERM regime now operational, McEntee says its bottom-up approach converges well with the top-down nature of the company's strategic planning. In this light, a well defined, effective internal control structure seems more a purposeful, value-added business initiative than a reaction to a burdensome regulation.
Many insurers are not waiting for a push from regulators to becoming more explicit about their governance practices. This entails publicly demonstrating the strength of and management's commitment to their governance processes by clearly defining responsibilities and appropriate reporting lines, and documenting governance policies and procedures. American International Group and Allstate, for example, publish extensive information regarding corporate governance structures on their respective Web sites. No doubt, a properly run governance regime can furnish its own rewards and bring tangible business benefits, such as positively impacting credit ratings and investor sentiment.
Despite the regulatory emphasis on governance, it is still worthwhile to note that governance is not synonymous with compliance. While compliance is done solely to appease regulators, governance exists to protect its owners' interests. Indeed, some argue the "checklist" mentality that defined some compliance efforts in the wake of the Sarbanes-Oxley Act is especially dangerous in the face of Solvency II, which codifies the use of analytics models in risk management. "The increased use of complex actuarial models will also require insurers to establish robust model governance procedures to support the integrity of actuarial projections," PWC notes.
Carriers also need to be wise not to conflate good governance with a robust risk enterprise risk management regime. Which is not say to say the three endeavors do not overlap, and that data utilized for one is not useful for the other. A burgeoning class of GRC (governance, risk and compliance) tools looks to coordinate and automate some of these complimentary efforts. With the traditional, siloed approach to these functions increasingly out of step with new business and regulatory realities, many see technology as essential for governance to be and enterprisewide.
Traditionally, governance at insurance companies has been strong surrounding financial controls and internal audit processes. One reason for this is that many corporate structures lend themselves to good governance practices such as having core committees, audit and compensations, for example, staffed by a mix of internal and independent board members. Here, U.S. regulators were ahead of their E.U. counterparts as NAIC's Model Audit Rule was amended in 2006, requiring insurance company audit committees to include independent directors among their members.
Now, insurers may need to focus on making governance more granular and explicit at the operational level. This entails making sure their governance push extends into IT departments to include such things as security and access management. Indeed, in the era of big governance, things that were formerly just nettlesome, such as systems conversions, now may also carry the weight of compliance risk. At the same time, insurers will need to ensure they have sufficient technological capability to present a unified picture of an organization's risk exposures across multiple geographies and jurisdictions around the globe.
HELP FROM ABROAD
So, where can insurers turn to in order to benchmark their current governance efforts against what may soon be expected from them? In May 2011, the Organization for Economic Co-operation and Development Council (OECD) working with the IAIS, released the revised OECD Guidelines on Insurer Governance.
The revisions were based on a comprehensive review and seek to present the "evolving national and international principles and good practices" regarding insurer governance. OECD says the new guidelines seek to reflect lessons learned from the financial crisis and are organized around four main sections: governance structure, internal governance mechanisms, groups and conglomerates, and stakeholder protection.
Among the recommendations: the need for a board with necessary leadership, expertise, and independent decision-making, effective risk management and internal control systems and integrated enterprise-wide reporting within an insurer, sound compensation arrangements, and well understood group structures.
Governance Lapses Embarrass Insurers
The governance policies of insurance companies rarely draw public scrutiny. The past year has seen some noticeable exceptions on both sides of the Atlantic.
In June, the Supervisory Board of ERGO Versicherungsgruppe AG, a Munich Re subsidiary, announced changes to its governance structure following a well-publicized scandal ensnaring some of its top salespeople, who were feted at a party that featured prostitutes and was held at a Budapest spa in 2007.
Torsten Oletzky, Chairman of the ERGO Board of Management, said after an internal audit the company would enact measures intended to supplement the company's existing Corporate Governance rules and regulations. "What happened in Budapest in 2007 is completely unacceptable," Oletzky said in a statement revealing the audit's findings. "The measures adopted today supplement the rules already introduced in the last few years. They should ensure that nothing like it ever happens again."
In April, Cesare Geronzi, chairman of Assicurazioni Generali SpA, resigned after a dispute with the company's board regarding risk appetite. In its Jun 23rd edition, The Economist deemed Geronzi's ouster a victory for good governance. "As chairman of Generali he quickly announced a new strategy for the firm to expand in Latin America, which its chief executive and board had not even discussed. The insurer, he argued, could invest in a controversial project to build a bridge to Sicily, which some people think might indirectly enrich the mafia. So when directors revolted and Mr Geronzi unexpectedly resigned in April, many investors saw it as a good day for European corporate governance."
Such contretemps have not been limited to Europe. This spring, the governance practices of Berkshire Hathaway Inc., parent of GEICO and General Re, came under scrutiny following the resignation of executive David Sokol, who had purchased nearly 100,000 shares of industrial lubricant maker Lubrizol prior to its acquisition by Berkshire in March. In April, the Audit Committee of Berkshire Hathaway Inc. released a report faulting the "misleadingly incomplete" disclosures made by Sokol but acknowledged that it was working with "company management and legal counsel to identify and implement lessons learned from these events, including possible enhancements to its procedures."
