The insurance sector is under greater scrutiny for its risk management and governance controls. This is due to a range of factors such as fines for high profile failings in risk management, including poor culture, controls, and governance oversight.
Regulators have also stepped up their use of s166 reviews as an integral supervisory tool, with the majority for poor controls and risk management.
Pending updates to the FRC’s Corporate Governance Code also emphasises the need for effective risk management and resilience, demanding greater assurance from the Board.
Despite regulatory expectations going up, many insurers are struggling with their control framework. With a surge in M&A activity across the sector in 2021, many firms have found themselves with legacy risk management processes, and duplicate controls.
There’s also the ongoing pressure of regulatory change, which has seen layer upon layer of new controls with few opportunities for rationalisation. It’s also common to see standard business processes that are misidentified as a control and needlessly added to the risk register. The result is a tangled web that’s increasingly difficult to maintain and weakens the control environment.
If you have too many controls, you aren’t alone. But more doesn’t mean better. Too many controls become unwieldy, making it difficult to see if you’re managing your controls effectively.
That makes it harder to compile meaningful management information, and for senior management to make informed decisions. It also threatens the accuracy of regulatory reporting and Board assurance to internal and external stakeholders. Not to mention needlessly increasing the cost of compliance.
There are four key steps you can follow to simplify your control framework. Throughout this process, you may find a number of controls that are duplicative, redundant or no longer fit for purpose.
Go back to the drawing board to look at how you define your controls, and check if the definition is clear and concise to enable you to strip out any unnecessary process methodology. You may find that your definition has evolved over time, and some sub-sets are no longer needed.
Review the key risks in each of your business areas and determine the controls to mitigate these risks. From there, you can map the key controls to your risks to make sure mitigation strategies are in place to manage them effectively. This will help you update your controls library and controls framework. Keep a look out for any controls that duplicate efforts or no longer add value.
You need to design an effective assessment process, ideally quarterly, where you may want to include some control validation practices. This will provide assurance that risks are managed effectively and the controls are operating as they are supposed to.
As well as identifying, mapping and assessing your controls, it is important to assign control owners to ensure there are named individuals responsible for each identified control.
Streamlining your controls can be daunting, but it will be worth it to improve the quality of your risk management processes. Fewer controls will help you focus your energies on your key risks, and free up your resources for more effective risk and control trend analysis.
Building on this through automation can also help you improve the quality of your controls. This will help to reduce the potential for human error, increasing the speed of intervention due to real time monitoring.
Focusing on quality over quantity will ultimately give your team more freedom to focus on emerging risks, and develop value add propositions to support the wider business.
For more insight and guidance, contact Nousheen Hassan.
