In March the Cayman Islands Monetary Authority issued a new Rule – Risk Management – Insurers. The new Rule applies to both domestic (commercial) insurers and captives and requires them to adopt a risk management strategy to address all the risks that they are subject to, discusses Lisa M. Bowyer, principal consultant, Liberty Consulting Ltd.
Insurers generally manage certain risks e.g. credit risk; insurance underwriting and reinsurance risks; and investment risk closely, but insurers are now being required to look at their entire operation in terms of all material risks faced with a view to applying governance arrangements, internal controls and reviews and reporting including independent audits or actuarial or compliance reviews.
Rationale for Requirement
All companies already adopt an approach to risk, e.g. employee screening to reduce the possibility that internal theft will occur or clients will be lost due to bad service. In business, taking risks is one way to make profits, but risk should be measurable and controlled and reduced to the optimum level. Good regulation only ever seeks to ensure all companies conduct themselves in the manner that any responsible business would conduct itself. Good regulation does not require insurers to completely eliminate all their risks.
Regulators want financial services companies to document their approach to all risk for a number of reasons:
1. To evidence what the strategy is, essentially to prove what it says is true and implemented. The regulator must be able to see the process used to determine the strategy to assess whether it is appropriate for that particular insurer.
2. To ensure that the agreed strategy is adopted at sufficiently high level so that its effects will trickle down and throughout many other aspects of the business’s organisation and governance which are affected by the approach to risk.
3. To reveal those companies that take an approach that is excessively risk tolerant. Regulators are concerned about the market as a whole, the concept of limited liability means that some directors worry less about the implications of failure. Taking risks typically brings higher profits but in the case of regulated entities there is a public interest to ensuring that policyholders are not frequently left without cover due to failed insurers and also to provide stability in the market for insurance so that businesses and individuals are able to manage their risks. In the case of off shore financial centres, weeding out reckless risk takers also protects the reputation of the jurisdiction, since a disproportionally high number of failed financial services companies may imply poor regulation which would lead to a loss of good quality international clients.
Risk management for domestic insurers
The new Rule mandates that insurers address the monitoring and control of all material risks. As a minimum the risks must include: credit risk; insurance underwriting and reinsurance risks; investment risk; market risk; strategic and tactical risks arising from the business plan; concentration risk; compliance risk; and operational risk.
Of these it is likely that most insurers in Cayman will only face new consideration of compliance and operational risk as a result of the new Rule since the other risks have traditionally been closely evaluated as part of the normal business of an insurance company. However, it is important to clearly document and explain the approach and strategy, to harmonise this with the approach to risk adopted for the entire organisation and provide for reviews and testing at an appropriate frequency.
Risk management for captive insurers
In the case of captives, the majority of which in Cayman are managed by an insurance manager, the whole ethos of the establishment of the captive is to address the risk of the parent company or owners. The primary risk is the insurance risk which the managers and actuaries are expert in assessing and managing. Any governance risk will stem from the relationship with the owners, and the relationship with the manager. For this reason, close attention should be paid to the management agreement and other agreements in place with service providers.
The International Association of Insurance Supervisors, the international standard setter for insurance supervision, has stated that whilst the nature of the risks to which captives are exposed is similar to that of commercial insurers, the degree and diversity of exposure may differ. It has listed a number of risks as possibly applying to a greater extent to captives than to commercial insurers:
- Control of outsourced insurance management function
- Management risk
- Location of owners and captives in different jurisdictions
- Legislative developments affecting captives
- Concentration of assets
- Failure of a fronting insurer
- Lack of risk diversification
- High claims volatility
- High liquidity risk
- Exposure to related parties
- Potential risk of money laundering, terrorist financing and fraudulent activities
- Dependency on the financial strength of the parent
- Reinsurance risk
- Taxation issues
- Counterparty risk resulting from
- Reliance on contingent capital
- Currency risk
Captives should thus consider adopting a resolution to formalise its strategy for addressing the above risks at the first opportunity. The Monetary Authority has given a grace period of six to ten months so the next board meeting should be soon enough in most cases. The resolution may include a statement that one or more of the risks are not applicable or negligible but it is important to document that assessment.
Risk management and compliance
The Rule requires the Board of the licensee to approve and review the risk management strategy but senior management are responsible for the creation and implementation of the strategy. As is seen above captives are advised to consider the management arrangements in order to identify and address any risk of poor management. In the case of commercial or self governed captive insurers, ‘governance risk’ is more difficult to address since it requires an honest self assessment of the probability of failings by the Board and senior management. Thus at this level, risk management is effectively a matter of sound