risk-focused surveillance framework update. agenda overview of risk assessment cycle conducting...
TRANSCRIPT
RISK-FOCUSED SURVEILLANCE FRAMEWORK UPDATE
Agenda
Overview of Risk Assessment Cycle
Conducting Risk-Focused Exams Seven Phases to Conducting
Exams
Status and Project Timeline
Risk Assessment Cycle
INSURER PROFILE
SUMMARY
Internal/External Changes
Examination
Priority System
Supervisory Plan
•Risk Based Examination•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Exam
•Update Supervisory Plan•Exam Report//Mgmt Letter
Develop Ongoing Supervision That Includes:
•Frequency of Exams•Scope of Exams•Meetings with Company Management
•Follow-Up on Recommendations
•Financial Analysis Monitoring
•Priority System Based on Dept. analysis and NAIC financial Analysis tools:
•Scoring System•ATS Results•IRIS Ratios
•Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process
•Ratio Analysis (IRIS, FAST, Internal Ratios)
•Actuarial Analysis•Update with internal/external changes
Off-Site Risk Focused Financial
Analysis
Consider Changes to:•NRSRO Ratings •Ownership/Management/ Corporate Structure
•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status
Examination
•Risk Based Examination•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Exam•Update Supervisory Plan•Exam Report//Mgmt Letter
Off-Site Risk Focused Financial Analysis
•Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process•Ratio Analysis (IRIS, FAST, Internal Ratios)•Actuarial Analysis•Update with internal/external changes
Internal/External Changes
Consider Changes to:•NRSRO Ratings •Ownership/Management/ Corporate Structure•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status
Priority System
Priority System Based on Dept. analysis and NAIC financial Analysis tools:•Scoring System•ATS Results•IRIS Ratios
Supervisory Plan
Develop Ongoing Supervision That Includes:
•Frequency of Exams•Scope of Exams•Meetings with Company Management•Follow-Up on Recommendations•Financial Analysis Monitoring
Insurer Profile Summary
General/Basic Information
Business Summary Priority Rating Regulatory Findings Regulatory Plan External Information Key Financial Data Overall Summary
Seven-Phase Examination Process 1-4
Phase 1 – Understand the Company and Identify Key Functional Activities to be Reviewed
Phase 2 – Identify and Assess Inherent Risks in Activities
Phase 3 – Identify and Evaluate Risk Mitigation Strategies/Controls
Phase 4 – Determine Residual Risk
Seven-Phase Examination Process 5-7
Phase 5 – Establish/Conduct Exam Procedures
Phase 6 – Update Prioritization and Supervisory Plan
Phase 7 – Draft Exam Report and Management Letter Based on Findings
Risk Assessment Matrix
1a
Phase 1 Phase 5 Phase 6 Phase7
1d 2a 2b 2c 2d 2e 3a 3b 3c 4a 4b 4c 5 6 7
1b – Overall Risk
Risks Other than Financial Reporting
Financial Reporting Risks
Ex
am
ina
tio
n
Pro
ced
ures
/ F
ind
ing
s
Prio
rit
iza
tio
n R
esu
lts
Su
perv
iso
ry
Pla
n
Su
b-a
cti
vit
ies
Iden
tifi
ed
Ris
ks
Bra
nd
ed
Ris
k
Lik
eli
ho
od
Imp
act
Ov
era
ll
In
heren
t R
isk
Ass
ess
men
t
Ris
k M
itig
ati
on
Str
ate
gy
/Co
ntr
ol
Ev
iden
ce &
Do
cu
men
t
Test
ing
Co
ntr
ols
Rep
ort
Fin
din
gs
&
Ma
na
gem
en
t L
ett
er
Co
mm
en
ts
Ov
era
ll R
isk
Mit
iga
tio
n
Str
ate
gy
/Co
ntr
ol
Ass
ess
men
t
Ca
lcu
late
d R
esi
du
al
Ris
k
Ju
dg
men
tal
Resi
du
al
Ris
k
Ov
era
ll R
esi
du
al
Ris
k
Ass
ess
men
t
Risk Identificatio
Inherent Risk Assessment
Risk Mitigation Strategy/Control
Residual Risk Assessment
Phase 2 Phase 3 Phase 4
1c – Analytical
Key Activity
Parts to Phase 1
1. Understanding the Company2. Understanding the Corporate
Governance Structure3. Assessing the Adequacy of the Audit
Function4. Identifying Key Functional Activities5. Consideration of Prospective Risks
Phase 1 – Understand the Company/Identify Key Activities
Steps to Part 1- Understanding the Company
1. Gather Necessary Planning Information
2. Review the Gathered Information3. Analytical and Operational Reviews4. Consideration of Information
Technology Risk5. Update the Insurer Profile
Phase 1 – Understand the Company/Identify Key Activities
Part 2- Understanding the Corporate Governance Structure
Understanding the Organizational Structure
Understanding & Assessing the Board of Directors
Understanding & Assessing Management
Phase 1 – Understand the Company/Identify Key Activities
Part 3-Assessing the Adequacy of the Audit Function
External audit Internal audit
Phase 1 – Understand the Company/Identify Key Activities
Part 3-Assessing the Adequacy of the Audit Function
External Provide understanding of control
structure Understand CPA’s risk assessment Review compliance and substantive
procedures
Phase 1 – Understand the Company/Identify Key Activities
Part 3-Assessing the Adequacy of the Audit Function
Internal Financial Operational Compliance IS or Technology
Phase 1 – Understand the Company/Identify Key Activities
Phase 1 – Understand the Company/Identify Key Activities
Part 4- Identify Key Functional Activities
Identify key activities using company background information from various sources.
Phase 1 – Understand the Company/Identify Key Activities
Phase 1 – Understand the Company/Identify Key Activities
Part 5-Consideration of Prospective Risks
Consideration of prospective risks is an intrinsic element of a risk-focused examination and should occur throughout all phases of the examination process
Phase 2 –Identify Inherent Risk
Key activities and sub-activities identified in Phase 1 are the building blocks for identifying inherent risk.
Inherent risk is the risk before considering internal controls.
The examiners asks the question, “What can go wrong?” for each of the key activities.
Phase 2 –Identify Inherent Risk
Inherent risk that has been identified is then classified into the branded Risk Classifications.
Credit Market Pricing/Underwriting
Reserving Liquidity Operational/ Financial Rptg.
Legal Strategic Reputational
Phase 2 –Assess Inherent Risk
Inherent risk is assessed by considering: the likelihood of occurrence, the magnitude of impact and examiner’s judgment.
Phase 2 –Assess Inherent Risk
Likelihood of Occurrence: The likelihood that the risk will occur or would prevent a process or activity from attaining its objectives.
Low: rare occasions. Moderate-low: at some time. Moderate-high: probably occur at some time. High: expected to occur most of the time.
Phase 2 –Assess Inherent Risk
Magnitude of Impact: The potential impact or potential materiality of
a risk.
Magnitude of Impact is measured as: Threatening: Greater than 5% of surplus Severe: 3-5% of surplus Moderate: 1-3% of surplus Immaterial: Less than 1% of surplus
Magnitude of Impact Probability of Occurrence Threatening Severe Moderate Immaterial
High High High High Moderate Moderate-High High High Moderate Moderate Moderate-Low High Moderate Moderate Low Low Moderate Moderate Low Low
Phase 2 –Assess Inherent Risk
The insurer’s control risk should be assessed by determining how well the risk mitigation strategies/controls offset the inherent risks identified
Leverage off work of external/internal audit and company self-assessments.
Phase 3 – Risk Mitigation Strategies
Phase 3 – Risk Mitigation Strategies
The Overall Risk Mitigation Strategy/Control Assessment ratings to be indicated in the Risk Assessment Matrix are:
Strong Risk Management Moderate Risk Management Weak Risk Management
Phase 4 – Determine Residual Risk
Inherent Risk – Internal Controls = Calculated Residual Risk
Overall Residual Risk = Calculated Residual Risk
+/- Examiner’s Judgment
Strong Controls
ModerateControls
Weak Controls
High IRModerate to High
Moderate to High
High
Moderate IR
Low to Moderate
Moderate Moderate
Low IR Low Low Low
IR = Inherent Risk
Phase 4 – Determine Residual Risk
Phase 5 – Establish/Conduct Exam Procedures
After completion of the Risk Assessment for key activities, the nature and extent of testing can be determined and the examination procedures designed accordingly.
Examination procedures should be selected to correspond with the financial reporting and other than financial reporting risks noted within the entity.
Phase 5 –Establish Exam Procedures
Key Concept:
Focus examination effort where there is more risk.
Examination procedures should be designed to focus on the risks that remain after consideration of internal controls.
High Residual Risk – Substantive tests Moderate Residual Risk – Fewer substantive tests and
analytical procedures Low Residual Risk – Minimal substantive tests, more
analytical procedures, potentially eliminate tests.
Phase 6 – Update Prioritization and Supervisory Plan
From relevant and material findings: Update priority score Establish the Supervisory Plan for on-
going analysis Examination Report and Management
Letter should be a reflection of the Prioritization and Supervisory Plan
Phase 7 – Draft Exam Report and Management Letter
Examination Report – Contains the findings of the examination related to the scope
Management Letter – Optional tool to convey results and observations noted during the exam that are not needed in the public report Vehicle for ongoing dialogue with insurer Content determined by state insurance
department
2004-2006 Handbook Revisions Exposed
for Comment
2006 - 2009 – Training Program for Implementation
of the Risk-Focused Process
2004 Adoption of Risk-Focused Surveillance Framework
2010 Proposed Accreditation
Standards
2006 – Adoption of the Revisions to the NAIC Financial Condition
Examiners Handbook
Timeline2007-2009
Dual Examination Approach