Every insurance firm has several teams and individuals who are responsible for risk management across the first, second and third lines of defence. This includes the risk, compliance and internal audit teams – all with their own priorities, approaches and working methods. But their ultimate goal is the same: to give all stakeholders assurance that risks to the firm are appropriately identified and mitigated.
Despite the overlapping remits, these teams often work in silos, with limited interaction and coordination. The result is a disjointed and inconsistent view of risk across the firm, making it difficult for senior management to make informed decisions or establish an appropriate risk culture. Duplicated efforts are also becoming hard to justify, with increased economic pressures, stretched resources and demanding regulatory change programmes.
How can insurance firms break down internal barriers to create an integrated assurance model?
Why are insurers reticent?
Although there are clear benefits to integrated assurance, it's always been the subject of debate and many teams remain reticent to adopt it. Interdepartmental bureaucracy may be the reason, or a fear that an integrated approach could slow decision-making across each risk team, with a knock-on effect on output. Each function also has its own agenda, and some teams can be possessive about their work, bringing an element of competition to the table. Integrated assurance models aside, this approach is bad for business.
Insurance firms’ risk profiles are changing rapidly however and must now consider factors such as international conflict, inflation, soaring energy prices, the cost-of-living crisis and emerging ESG requirements. These will all have a significant impact on insurers’ portfolios, and require effective controls to mitigate the risks.
In reality, three different assurance functions will assess and prioritise these risks differently and may give conflicting reports to the board. Not knowing which report to follow, the board can give greater credence to one report over others, resulting in an incomplete view of risk, potential false assurance and over-emphasis on some risk areas.
Integrated assurance, however, can resolve this to bring some key benefits. The approach can help senior management understand the changes needed, identify where to target investment and maintain confidence among all stakeholders.
How to create an integrated risk assurance model
An integrated assurance framework doesn’t have to be a big change. Getting started could be as easy as setting up regular meetings between the risk, audit and compliance teams to share ideas and discuss their work. Serving as an education piece, this can build awareness of integrated assurance, break down barriers and demonstrate the benefits. The heads of each assurance function can then consider their combined approach. Getting input from senior management will identify what kind of reporting would work best for them and inform the integrated risk assurance design.
At this stage, assurance mapping is essential. Each team may have identified different risks and prioritised them differently. It’s important to share information to make sure all teams have visibility over these, ensuring each one is effectively managed, with no gaps.
Sharing concerns, programmes of work and upcoming priorities can identify duplication of effort and encourage shared use of expert skill sets for specialist projects. Ultimately, integrated assurance aims to get a team-agnostic approach, where the right expertise focuses on each task, regardless of where they sit within the organisation.
This will naturally cut costs, increase the speed of output and improve the quality of work. It will also enable combined reporting, reflecting the collective risk management approach across all departments and improving senior management oversight.
Getting started with an integrated assurance framework
An integrated assurance model depends on effective collaboration, so it’s essential to ensure there are no internal behaviours or systems that could be a barrier to success. For example, governance processes, reporting lines or billing practices could inadvertently incentivise a siloed approach and discourage collaboration. Integrated assurance could also make individuals nervous about the future of each team, so it’s important to be transparent about what the end goal is and why.
Creating a single, unified view of risk across the insurance firm will magnify the voices from each team, rather than undermine each function’s individual contribution. Giving the board and senior management greater oversight will help them prioritise risk management and set the tone at the top. Over time this will improve risk culture across the firm and help embed effective practices across all three lines of defence.
For more insight and guidance on integrated assurance and how to embed it, get in touch with Nousheen Hassan.
The landscape of operational, regulatory and investment risks changes constantly