A LIMRA Special Feature

The insurance industry was founded on the concept of managing mortality risk and is very experienced with it. However, expanding the concept of risk management to operational risks is fairly recent. Over the past several years the role of the risk assessment officer has expanded greatly in the insurance industry, as more companies recognize that operational risks abound and that reducing their exposure can have a significant benefit for the bottom line.

Compliance risk is only one of many operational risks, but it is an important one. The costs associated with failure to be in compliance with state, NASD, or federal regulations or with failure to have proper market conduct are high, and the probability of some of those risks occurring is also high. This makes it valuable for a company to understand how to manage compliance risk.

There are three steps in managing compliance risk: identify the potential risks, quantify them, and then control them.

IDENTIFYING COMPLIANCE RISK The first step in managing risk is to know where the potential and actual compliance and market conduct risks are in your operation. This requires identifying them and describing their causes and interrelationships and how they will be measured. Some companies rely on audits of selected processes to identify actual risk; e.g., failure to property follow licensing procedures. However, few companies audit all of their processes at once, which means that periodic audits can lead to a piecemeal effort at identifying risks.

For example, audits often do not focus on the market conduct of agents and management, which is an important area for risk assessment. Audits also typically focus on actual risks that have occurred, and they therefore sometimes paint only a sketchy picture of potential risks. Finally, periodic audits sometimes focus on whether a process complies with regulations but may not evaluate its effectiveness, leaving a gap in knowledge about potential risks.

Some companies rely on their triennial Insurance Marketplace Standards Assessment (IMSA) to identify risks, but unless they add significantly to the process, IMSA cannot provide a full risk assessment picture. IMSA currently does not test the effectiveness of processes, but only their existence and general use, so relying on it to assess compliance risks can lead to gaps...