‘Documentation helps you demonstrate whether or not you are complying with the general obligations.’ – ASIC RG 104.26
Insurers, underwriting agencies, TPAs, Lloyds coverholders, insurance brokers and claim service suppliers have a myriad of obligations to comply with. Compliance with your obligations, through your processes, procedures, systems and people are collectively known as your ‘compliance measures‘.
Your compliance measures, together with your governance mechanisms, should work as an operating rhythm that manages your obligations in a systematic manner, incorporates changes, evolves as your business grows and responds to the external environment.
The Risk & Compliance Manuals that I design and are tailored for my general insurance clients achieve this purpose, through the following:
1. Identifying the source of your obligations
The source of your obligations are defined by:
- Who you are ? – an APRA regulated insurer holding an ASF Licence and who subscribes to the GI Code has different obligations to a NIBA insurance broker who is an authorised representative of a Licensee.
- Who do you act on behalf of? an underwriting agency or material service provider acting on behalf of an insurer or an insurance broker acting on behalf of a client?
- What do you do? – provide financial advice, issue general insurance products, provide a claims handling service or are a claims service supplier to an APRA regulated insurer
- How do you do it? – do you distribute direct or through brokers, do you sell through human interaction or automated processes, do you provide claims under your licence or through a TPA?
- Who are your clients? – retail or wholesale clients , consumer insurance contract or other insurance contracts. standard form contracts
2. Capture your obligations
For my smaller-medium sized clients I capture obligations within their Risk & Compliace Manual, providing a single source document. Larger clients usually have a stand-alone obligations register.
The manual or register should also include the source of the obligations (e.g., Section 912A(1)(a) Corporations Act or paragraph 21 GI Code of Practice), this enables the reader to deep-dive into the actual obligation when required.
3. Assign key controls
This is the heart of ensuring your compliance measures are adequate. Key control(s) are assigned to each obligation, so that the obligation is managed within risk appetite. The focus of the Board, Senior Managers and Risk & Compliance Committee now shifts from the numerous obligations to a suite of more manageable key controls.
4. Test your key controls
A key control that is not periodically tested is no control. Testing should incorporate (1) design effectiveness – is it fit for purpose? and (2) operational effectiveness – is it operating as intended?
Gaps must be identified, reported and closed out in a timely manner. The gaps must be assessed for regulatory or Code breaches.
You must have a control testing program.
5. Monitoring and reviewing your compliance measures
Your compliance measures must be monitored on an ongoing basis.
An effective risk & compliance operating rhythm generates data – incidents, complaints, control testing, file reviews, attestations, QA activity etc generates data. That data enables the adequacy of your compliance measures to be measured and evaluated at any point in time.
You must have a Monitoring Program that applies to your representatives including authorised representatives and Material Service Providers.
6. Reporting on your compliance measures
An important component of the oversight of the adequacy of your compliance measures, is reporting to your Board, Senior Management and Risk & Compliance Committee. This enables the data to be analysed and interrogated from many different perspectives. It also serves to enable directors, officers, responsible managers, accountable persons and others to discharge their regulatory duties and obligations.
7. Incorporating change and reviewing the compliance system
The operating rhythm itself should be subject to a periodic (annual review) and be capable of adapting to new obligations and changes to existing obligations (regulatory change).
Simply, the new or amended obligation is incorporated into your Manual or Register, assigned key control(s) and the cycle commences.
Need assistance?
Speak to me if you need assistance to apply an operating rhythm to manage your compliance measures.
Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the author and Compliance Advocacy Solutions Pty Ltd and not the views of other individuals, companies or organisations they may be affiliated with. The author and Compliance Advocacy Solutions Pty Ltd make no representations as to accuracy, completeness, currency, suitability, or validity of any information in this article and will not be liable for any errors or omissions or any loss or damage arising from its use or reliance. This article is intended for educational and informational purposes only and should not be relied upon as professional legal advice.