Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform.
A simple illustration of good governance is the doctrine of the separation of powers. The doctrine of the separation of powers divides the institutions of government into three branches: legislative, executive and judicial: the legislature makes the laws; the executive puts the laws into operation; and the judiciary interprets the laws.
Governance is about the time you dedicate to working ‘on’ your business, rather than ‘in’ it. This includes all the checks and balances you put in place to ensure your business runs smoothly, meets its objectives, stays out of trouble and protects the things that matter (your business, people, customers, business partners and other key stakeholders).
The elements of Governance for General Insurance
A system of good Governance comprises the following elements:
- A framework approach – frameworks provide a system of consistency of approach ensuring that an operating rhythm is created for risk & compliance. A framework ensures that the risk & compliance measures of a business evolve as the business grows & adapts to internal & external change.
- Roles and responsibilities – clarity and accountability of who does what is important – ‘doing, monitoring and oversight’ require seperate & independent people, boards or committees with a specific focus and purpose (documented through position descriptions and charters). Examples of roles & responsibilities in insurance include directors, officers, responsible persons (FAR), responsible managers (AFSL) and fit & proper people (AFSL). Aligned to roles and responsibilities is delegated authority, the 3 lines of defence model & reporting lines.
- Delegated authorities – the key to DA is the source of ultimate authority. Typically this will be the Board, SOOA (for foreign insurers) or business owner(s). Authority provides a mechanism to manage decision-making. Authorities (underwriting, claims, financial, strategy etc) are linked to experience, skills and knowledge therefore ensuring decisions are being made by the appropriate people. The key to delegated authority is that you can’t give (authority) what you don’t have.
- 3 lines of defence model – conceptually, the 3 lines of defence model continues to be the fundamental cornerstone of good governance across general insurance. The 1st line, typically business operations, manages risk & compliance, the 2nd line provides frameworks, oversight, monitoring and advice while the 3rd line is Internal Audit. Significantly APRA Prudential Standards create the role of the Auditor with reporting obligations to the Board and seperate & disctinct obligations to APRA ensuring a degree of independence. The key to the 3 lines of defence model is based on the the doctrine of the separation of powers – each line is seperate to and with a degree of independence from the other lines.
- Reporting lines – it’s critical that organisation structures and reporting lines enable unfettered ability to perform work and discharge responsibilities. For example, 2nd line risk and compliance teams must not report to business heads. Underwriting and claims are generally seperated by reporting lines to adequately manage conflicts of interest. IDR teams (under RG 271) are generally seperate to underwriting and claim teams.
- Risk and compliance committees – committees provide essential oversight for the management of risk & the adequacy of compliance measures. The composition of the committee is critical and must be based on independence, a cross-section of skills, competencies, experience, backgrounds & business functions and provide for a diversity of thinking.
- Document taxonomy – risk and compliance frameworks must be documented in an enterprise manual or similiar. Depending on the nature, scale and complexity of the business a typical taxonomy is enterprise risk & compliance manual – policies – standard operating procedures – registers and IT systems. Registers contain the life-blood of the business and evidence that risk & compliance is operating effectivley. Registers should be maintained for risk register, obligations register, incident & breach register, conflicts of interest register, training register, complaints register & service supplier register. With CPS 230 its critical to process map key operations and activities to understand the assets and resources that enable the activity to be provided and understand the impacts of business disruption.
- Data – the framework, oeprating rhythym, system etc must produce data that is then provided to risk & compliance committees, roles etc to ensure the health of risk & compliance measures, the identification of issues, incidents & breaches and continuous improvement. Data flows from the registers, control testing, monitoring, QA & should be analysed and interpreted.
- key controls – the control environment including control testing is critical to ensure that risk & compliance measures are designed effectiveky and operating effectively. The control environment provides assurance to boards, management and committees. Controls include people, process and technology.
If you need assistance in reviewing your risk and compliance measures to ensure that you have the approporiate level of governance, speak with me.