RISK-FOCUSED SURVEILLANCE FRAMEWORK UPDATE

Agenda

Overview of Risk Assessment Cycle

Conducting Risk-Focused Exams Seven Phases to Conducting

Exams

Status and Project Timeline

Risk Assessment Cycle

INSURER PROFILE

SUMMARY

Internal/External Changes

Examination

Priority System

Supervisory Plan

•Risk Based Examination•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Exam

•Update Supervisory Plan•Exam Report//Mgmt Letter

Develop Ongoing Supervision That Includes:

•Frequency of Exams•Scope of Exams•Meetings with Company Management

•Follow-Up on Recommendations

•Financial Analysis Monitoring

•Priority System Based on Dept. analysis and NAIC financial Analysis tools:

•Scoring System•ATS Results•IRIS Ratios

•Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process

•Ratio Analysis (IRIS, FAST, Internal Ratios)

•Actuarial Analysis•Update with internal/external changes

Off-Site Risk Focused Financial

Analysis

Consider Changes to:•NRSRO Ratings •Ownership/Management/ Corporate Structure

•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status

Examination

•Risk Based Examination•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Exam•Update Supervisory Plan•Exam Report//Mgmt Letter

Off-Site Risk Focused Financial Analysis

•Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process•Ratio Analysis (IRIS, FAST, Internal Ratios)•Actuarial Analysis•Update with internal/external changes

Internal/External Changes

Consider Changes to:•NRSRO Ratings •Ownership/Management/ Corporate Structure•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status

Priority System

Priority System Based on Dept. analysis and NAIC financial Analysis tools:•Scoring System•ATS Results•IRIS Ratios

Supervisory Plan

Develop Ongoing Supervision That Includes:

•Frequency of Exams•Scope of Exams•Meetings with Company Management•Follow-Up on Recommendations•Financial Analysis Monitoring

Insurer Profile Summary

General/Basic Information

Business Summary Priority Rating Regulatory Findings Regulatory Plan External Information Key Financial Data Overall Summary

Seven-Phase Examination Process 1-4

Phase 1 – Understand the Company and Identify Key Functional Activities to be Reviewed

Phase 2 – Identify and Assess Inherent Risks in Activities

Phase 3 – Identify and Evaluate Risk Mitigation Strategies/Controls

Phase 4 – Determine Residual Risk

Seven-Phase Examination Process 5-7

Phase 5 – Establish/Conduct Exam Procedures

Phase 6 – Update Prioritization and Supervisory Plan

Phase 7 – Draft Exam Report and Management Letter Based on Findings

Risk Assessment Matrix

1a

Phase 1 Phase 5 Phase 6 Phase7

1d 2a 2b 2c 2d 2e 3a 3b 3c 4a 4b 4c 5 6 7

1b – Overall Risk

Risks Other than Financial Reporting

Financial Reporting Risks

Ex

am

ina

tio

n

Pro

ced

ures

/ F

ind

ing

s

Prio

rit

iza

tio

n R

esu

lts

Su

perv

iso

ry

Pla

n

Su

b-a

cti

vit

ies

Iden

tifi

ed

Ris

ks

Bra

nd

ed

Ris

k

Lik

eli

ho

od

Imp

act

Ov

era

ll

In

heren

t R

isk

Ass

ess

men

t

Ris

k M

itig

ati

on

Str

ate

gy

/Co

ntr

ol

Ev

iden

ce &

Do

cu

men

t

Test

ing

Co

ntr

ols

Rep

ort

Fin

din

gs

&

Ma

na

gem

en

t L

ett

er

Co

mm

en

ts

Ov

era

ll R

isk

Mit

iga

tio

n

Str

ate

gy

/Co

ntr

ol

Ass

ess

men

t

Ca

lcu

late

d R

esi

du

al

Ris

k

Ju

dg

men

tal

Resi

du

al

Ris

k

Ov

era

ll R

esi

du

al

Ris

k

Ass

ess

men

t

Risk Identificatio

Inherent Risk Assessment

Risk Mitigation Strategy/Control

Residual Risk Assessment

Phase 2 Phase 3 Phase 4

1c – Analytical

Key Activity

Parts to Phase 1

1. Understanding the Company2. Understanding the Corporate

Governance Structure3. Assessing the Adequacy of the Audit

Function4. Identifying Key Functional Activities5. Consideration of Prospective Risks

Phase 1 – Understand the Company/Identify Key Activities

Steps to Part 1- Understanding the Company

1. Gather Necessary Planning Information

2. Review the Gathered Information3. Analytical and Operational Reviews4. Consideration of Information

Technology Risk5. Update the Insurer Profile

Phase 1 – Understand the Company/Identify Key Activities

Part 2- Understanding the Corporate Governance Structure

Understanding the Organizational Structure

Understanding & Assessing the Board of Directors

Understanding & Assessing Management

Phase 1 – Understand the Company/Identify Key Activities

Part 3-Assessing the Adequacy of the Audit Function

External audit Internal audit

Phase 1 – Understand the Company/Identify Key Activities

Part 3-Assessing the Adequacy of the Audit Function

External Provide understanding of control

structure Understand CPA’s risk assessment Review compliance and substantive

procedures

Phase 1 – Understand the Company/Identify Key Activities

Part 3-Assessing the Adequacy of the Audit Function

Internal Financial Operational Compliance IS or Technology

Phase 1 – Understand the Company/Identify Key Activities

Phase 1 – Understand the Company/Identify Key Activities

Part 4- Identify Key Functional Activities

Identify key activities using company background information from various sources.

Phase 1 – Understand the Company/Identify Key Activities

Phase 1 – Understand the Company/Identify Key Activities

Part 5-Consideration of Prospective Risks

Consideration of prospective risks is an intrinsic element of a risk-focused examination and should occur throughout all phases of the examination process

Phase 2 –Identify Inherent Risk

Key activities and sub-activities identified in Phase 1 are the building blocks for identifying inherent risk.

Inherent risk is the risk before considering internal controls.

The examiners asks the question, “What can go wrong?” for each of the key activities.

Phase 2 –Identify Inherent Risk

Inherent risk that has been identified is then classified into the branded Risk Classifications.

Credit Market Pricing/Underwriting

Reserving Liquidity Operational/ Financial Rptg.

Legal Strategic Reputational

Phase 2 –Assess Inherent Risk

Inherent risk is assessed by considering: the likelihood of occurrence, the magnitude of impact and examiner’s judgment.

Phase 2 –Assess Inherent Risk

Likelihood of Occurrence: The likelihood that the risk will occur or would prevent a process or activity from attaining its objectives.

Low: rare occasions. Moderate-low: at some time. Moderate-high: probably occur at some time. High: expected to occur most of the time.

Phase 2 –Assess Inherent Risk

Magnitude of Impact: The potential impact or potential materiality of

a risk.

Magnitude of Impact is measured as: Threatening: Greater than 5% of surplus Severe: 3-5% of surplus Moderate: 1-3% of surplus Immaterial: Less than 1% of surplus

Magnitude of Impact Probability of Occurrence Threatening Severe Moderate Immaterial

High High High High Moderate Moderate-High High High Moderate Moderate Moderate-Low High Moderate Moderate Low Low Moderate Moderate Low Low

Phase 2 –Assess Inherent Risk

The insurer’s control risk should be assessed by determining how well the risk mitigation strategies/controls offset the inherent risks identified

Leverage off work of external/internal audit and company self-assessments.

Phase 3 – Risk Mitigation Strategies

Phase 3 – Risk Mitigation Strategies

The Overall Risk Mitigation Strategy/Control Assessment ratings to be indicated in the Risk Assessment Matrix are:

Strong Risk Management Moderate Risk Management Weak Risk Management

Phase 4 – Determine Residual Risk

Inherent Risk – Internal Controls = Calculated Residual Risk

Overall Residual Risk = Calculated Residual Risk

+/- Examiner’s Judgment

Strong Controls

ModerateControls

Weak Controls

High IRModerate to High

Moderate to High

High

Moderate IR

Low to Moderate

Moderate Moderate

Low IR Low Low Low

IR = Inherent Risk

Phase 4 – Determine Residual Risk

Phase 5 – Establish/Conduct Exam Procedures

After completion of the Risk Assessment for key activities, the nature and extent of testing can be determined and the examination procedures designed accordingly.

Examination procedures should be selected to correspond with the financial reporting and other than financial reporting risks noted within the entity.

Phase 5 –Establish Exam Procedures

Key Concept:

Focus examination effort where there is more risk.

Examination procedures should be designed to focus on the risks that remain after consideration of internal controls.

High Residual Risk – Substantive tests Moderate Residual Risk – Fewer substantive tests and

analytical procedures Low Residual Risk – Minimal substantive tests, more

analytical procedures, potentially eliminate tests.

Phase 6 – Update Prioritization and Supervisory Plan

From relevant and material findings: Update priority score Establish the Supervisory Plan for on-

going analysis Examination Report and Management

Letter should be a reflection of the Prioritization and Supervisory Plan

Phase 7 – Draft Exam Report and Management Letter

Examination Report – Contains the findings of the examination related to the scope

Management Letter – Optional tool to convey results and observations noted during the exam that are not needed in the public report Vehicle for ongoing dialogue with insurer Content determined by state insurance

department

2004-2006 Handbook Revisions Exposed

for Comment

2006 - 2009 – Training Program for Implementation

of the Risk-Focused Process

2004 Adoption of Risk-Focused Surveillance Framework

2010 Proposed Accreditation

Standards

2006 – Adoption of the Revisions to the NAIC Financial Condition

Examiners Handbook

Timeline2007-2009

Dual Examination Approach