Adequate risk management systems for Underwriting Agencies enabling them to meet Insurers CPS 230 requirements

The requirement of CPS 230 for general insurers is that they must effectively manage operational risks, maintain critical operations through disruptions, and manage the risks arising from service providers.

It’s the latter requirement that has caused recent tension, with APRA expressing concern with Insurers use of Underwriting Agencies, reminding insurers that they can outsource critical underwriting & claims functions, but not accountability.

Underwriting Agencies as an AFS Licensee

It’s all well & good for insurers to impose their requirements on agencies (& rightly so, to a degree) however, among all this, it should be remembered that an Agency who holds an AFSL must comply with its obligations or face severe consequences including reputational harm & civil penalties. Somewhat ironically this may potentially also ‘severly disrupt’ the insurer’s operations.

An Agency, holding an AFSL must have adequate risk management systems. The requirement for risk management systems ensures that agencies explicitly identify the risks they face and have measures in place to keep those risks to an acceptable minimum.

This requirement sounds remarkably similar to the CPS 230 requirement on insurers.

Therein lies the answer ( lightbulb moment – I feel like a ‘tahdah’ is warranted at this point), the insurer meets its CPS 230 requirement to manage the risks arising from material service providers and the agency meets its AFSL obligation to have an adequate risk management system & manage its own risks.

ASIC (in RG 104) states that a licensee’s risk management systems will depend on the nature, scale and complexity of its business and risk profile. ASIC also states that the licensee’s risk management systems will need to adapt as their business develops and business risk profile changes over time. This would include enhancing the agency’s risk management system to enable it to meet the risk of their binder agreement being terminated. Taking a step back, an insurer would eventually terminate the agencies binder agreement if they presented an unmanageable CPS 230 risk (or any risk for that matter including in respect of CPS 234 Security Information).

What does an adequate risk management system look like for an insurance Underwriting Agency?

The risk management system must not only cover the risks of the Agency but also, any of its representatives (such as authorised reps or distributors acting under an ASIC instrument).

Risk management components:

  1. A risk identification (risk profiling) brainstorming session including relevant stakeholders (potentially the insurer(s)) assists in identifying material risks to the business;
  2. to ensure nothing is missed, risks are catergorised. CPS 230 provides assistance defining operational risk as legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this you would add strategic/reputational risk and financial risk.
  3. Risk appetite statement (RAS) – a board/senior management approved RAS is critical to define the amount of risk the Underwriting agency is willing to accept in pursuit of its objectives, expressed against each risk category. This can be a simple 1 pager for a typical Underwriting Agency.
  4. Risks should be recorded in a risk register.
  5. A risk without control(s) is known as inherent risk. Key controls are assigned to manage the risk & bring the inherent risk within appetite (the risk is now known as residual risk)
  6. Controls, for the purpose of the agency meeting insurers CPS 230 requirements, include having a business continuity plan (BCP) & controls to manage and monitor the processes and resources needed to deliver critical operations, including people, technology, information, facilities and 4th party service providers, and the interdependencies across them.
  7. Let’s pause and discuss BCP, because at this point an APRA-regulated insurer may raise scenario testing (refer CPS 230 paragraph 43). The Underwriting Agency should periodically test the BCP and share the results with the insurer. Better still, involve the insurer – they have a lot to offer in terms of risk management capability and experience. A testing program must be tailored to the material risks of the Underwriting Agency and include a range of severe but plausible scenarios.
  8. Ok, back to the control environment…
  9. A control is only as good as its design and operational effectiveness. Therefore periodic control testing of these 2 elements of effectiveness, is critical. A poorly designed control or a control not operating effectively is no control. Refer back to 4 above – inherent risk. This means the risk is outside the approved RAS. A Control Testing Program is essential and, when shared with an insurer, provides them with assurance in a CPS 230 context.
  10. Key controls, nature of testing of the control, accountability, testing frequency etc should be recorded on the risk register.
  11. Where gaps are identified from control testing, action plans must be developed by the Underwriting Agency to close out the gap as quickly as possible. The action plan should be recorded on the risk register (what, who, how & when) and reported to the board/management and the insurer .
  12. In addition to an effective Control Testing Program, a Monitoring program for an Underwriting agency is an important part of an adequate risk management system. This program monitors (& supervises and provides oversight) of the agencies employees and 4th parties (vendors and outsourced providers). It’s designed adopting the principles of the 3 lines of defence model.
  13. Data is essential to provide evidence of the adequacy of the Underwriting Agencies Risk Management system and yes, the data should be shared with the insurer. It’s all about providing ongoing assurance to the insurer. Data is derived from many sources: training register, risk & obligation registers, complaint register, incident & breach register (note here that incidents are wider than just compliance incidents and include operational risk incidents such as work health and safety, cyber & technology etc
  14. I’ve talked a lot about reporting to the insurer to provide them with comfort and enable the insurer to meet CPS 230 requirements arising from material service providers. The reporting should be formalised so that risk reporing is provided to the risk & compliance committee (this committee is essential for all Underwriting Agency’s), the agency’s board & management and then to the insurer(s). The internal reporting enables focused conversations to take place, imapcts understood, insights to be developed and actions implemented which leads me to …
  15. Continuous improvement from learnings. Risk continues to evolve. Risk reflections as part of any risk & compliance committee meeting, management meeting or board meeting is a critical part of the risk management process. These learnings & periodical risk profiling sessions feed back into the risk management system ensuring ‘the licensee’s risk management systems will adapt as their business develops and business risk profile changes over time’ (ASIC RG 104.64) – possibly another ‘tahdah’ is required at this point.

Assistance with risk management system for Underwriting Agency or meeting insurers CPS 230 requirements

If you need assistance:

  • reviewing the adequacy of your risk management system against your AFSL & the insurers CPS 230 requirements; &/or
  • designing and implementing a tailored (to your business) Risk & Compliance Manual, Control Testing Program or Monitoring Program that provides assurance for your business and to your insurance partner(s)

contact me.

Previous Post
Newer Post
Press ESC key to close search