FCS DEEPAK P. SINGH | Feb 28, 2022 |
Compliance Risk Management
Compliance Risk is a risk that the Company’s actions or inactions might result into potential regulatory interventions or regulatory actions, which could adversely affect the Company’s reputation. This one of the important risks in Insurance Sector. The Regulator of Insurance IRDAI has penalized many Insurance Companies, Insurance Intermediaries, TPAs, Insurance Brokers etc., for non-compliance and non-fulfilment of regulatory requirements. In some cases, IRDAI refused to renew licenses given or revoked license of an Insurance Company based on non-compliance.
Generally, penalty orders are published in newspapers and shown on the website of the Authority this will lead to damage of reputation of the Company in the market, which will also affect trust of market as well as prospects and policyholders of the Insurance Company. A company against whom regulator has imposed many penalties for not complying rules and regulations specified shows that the insurer does not have appropriate Corporate Governance and Internal Control commensurate with the size and diversity of the insurer. The Government and Regulator have come with various guidelines, rules, regulations, circulars, notifications and instructions to protect the interest of innocent general public. The general public or prospects for an insurance product on the basis of assessment of financial stability and strength of an insurer decide to take insurance cover from them. In case an insurance company become insolvent or not able to pay claims of its policyholders at the time of risk or event insured, then public as well as regulator loose confidence in the insurer and through regulation terminate the license of insurance company keeping welfare and interest of policyholders in mind.
It is very important for an insurer or insurance intermediaries to follow all specified rules and regulations and submit required returns with various authorities for authorities to access their financial strength and their ability to pay future as well as present claims of its policyholders.
It is duty of all players in insurance industry i.e., insurance companies, insurance intermediaries, agents and others to follow rules, regulations and instructions of the regulator for development of insurance industry and protection of interest of their policy as well as stakeholders. These regulations need the insurance players operates fairly and ethically while dealing with public money, comes to their coffers by way of premium. Insurance companies are considered as custodian of public money and they should act on fair and ethical ways.
Compliance risk management is the process of identifying, assessing and mitigating potential losses that may arise from an organization’s noncompliance with laws, regulations, standards, and both internal and external policies and procedures.
Compliance risk management, which is a subset of compliance management, involves identifying, assessing, and monitoring the risks to your enterprise’s compliance with regulations and industry standards, putting internal controls in place to ensure that you are compliant, and monitoring those controls to be sure that they’re effective on an ongoing basis.
A compliance risk management program notes the material losses and exposures to your organization that non-compliance could cause, including legal penalties, fines, business loss, and reputational loss.
Compliance Risk Management aims to proactively identify the compliance risks by respective functional units, identifying the current controls and taking corrective actions to mitigate the Compliance Risks.
Compliance risk is any threat to an organization’s financial, organizational, or reputational standing. A well-defined compliance process can reduce your organization’s overall risk of violating these standards—and facing the consequences.
Compliance management and risk management are related, but they are not the same thing. Risk management involves predicting and managing risks to help an organization protect itself from risks that might eventually lead to non-compliance. For its part, compliance management is the process of managing compliance within the boundaries of a time frame and a budget. Non-conformance to compliance regulations is also a risk.
PLEASE NOTE THAT: Business is changing so rapidly that the old, reactive ways of managing compliance risks might lead organizations to fall behind the competition or leave them exposed to larger regulatory or reputational risks than they ever expected.
This is why some organizations are finding ways to better manage compliance risks and be more risk intelligent, which involves being more aware of today’s risks. You need an integrated compliance model across the organization to keep compliance risk in check, and to ensure that ethics policies are followed at every level in the organization.
It requires a holistic approach toward managing compliance in an organization. The goal is to provide a single, enterprise-wide solution toward managing compliance. The benefits of an integrated compliance strategy include reduced risk, faster time to market, reduced costs, enhanced customer experiences, and more.
It is duty of Chief Compliance Officer to put in place a framework for identification and mitigation of Compliance Risks.
PLEASE NOTE that compliance of various regulatory rules and guidelines are the duty of functional heads of Insurance Company and not Chief Compliance Officer. Thus, it is clear that the Compliance Risks Management process is owned by respective functional units and Chief Compliance Officer will facilitates them in compliance.
| (1) Identification of Potential Compliance Risks. (2) Rating of Risks; (3) Current Control in Place and evaluation of adequacy of Current Control; (4) Identification of new actions required to mitigate the risks; (5) Projected risk rating after implementation of new actionable; (6) Presentation of Compliance Risk Registers; (7) Follow up review meetings with risk owners and actionable owners; (8) Discussion with EXCOM on the Compliance Risk Management Program. |
1. IDENTIFICATION OF POTENTIAL COMPLIANCE RISKS;
First, we need to have clear understanding of various regulations, circulars and guidelines issued by the Authority and applicable to your Company. The Compliance Officer discusses the compliances required for various processes within the function with the concerned functional head and assist the functional head in identification of the potential gap. It is to be noted that for operational compliances, it is the functional head who is the best aware of the potential gaps and the possible exposure to the compliance risk.
Let’s consider an example, we know that Regulatory TAT for issuance of an insurance policy if 15 or 30 days from the date of receipt of proposal form by an insurance company. Now the functional head of Operations Department is COO and he is the best person, who knows how many instances company has breached regulatory TAT and he will come with solutions and actions to reduce TAT breaching and ensure compliance with regulatory TAT.
NOTE: All Compliance Risks must have a risk owner. There will be only one risk owner for one compliance risk.
2. RATING OF THE RISKS;
Risk Rating – is the exercise of assigning a rating to understand the seriousness of the risks. In an insurance company there could be many risks, which need to be managed including Compliance Risks. But it is important first to priorities and focus the attention of the management on risks on those, which deserves priority.
Rating a risk helps understanding the gravity of the risks and decide on those which management wants to focus first.
Once Compliance Gaps are identified, the nest steps would be to priorities the risk based on below mentioned two parameters;
This would help us identifying the risks which needs to be focused first.
3. CURRENT CONTROL IN PLACE AND EVOLUATION OF ADEQUACY OF CURRENT CONTROL;
Now after identification or gaps and rating of risks, next step is to identify Current Controls in place in the organization and its adequacy to check and mitigate Compliance Risks. Taking stocks of these controls is intended to decide what are the additional controls which are feasible and essential to eliminate or mitigate the risks.
Let’s consider suppose, the risk of increasing number of customers complaints or grievances on mis selling reported to the Regulator. This would be in high-risk category. Now it is imperative to first identify what measures the company has in place to avoid increasing number of complaints.
We have to check at the point of sale what kind of controls are in place to avoid mis selling, like benefits illustrations signed by customer, product brochures containing details product features given to the customers etc.
The next step would be to check if there is any finetuning required to be existing controls or any measures to control the compliance risk.
4. IDENTIFICATION OF NEW ACTIONS REQUIRED TO MITIGATE RISKS
Now identifying new actionable is next logical step to mitigate or eliminate risks. The Chief Compliance Officer must assist the COO in identifying the additional steps required.
Root Cause Analysis is an important process at this stage. For example, if customer understanding is the core issue of mis selling, can the COO consider a verification mechanism to confirm if customer understood the essential features of the product, he or she is purchasing. The probable new action here be identified as “Customer Verification”, either in person or through phone call, depending on the size of the case.
NOTE: New set of actions must be clear and specific (no mother hood statements allowed) and will have a deadline and name of person responsible for taking action. There could be multiple persons involving multiple actions.
5. PROJECTED RISK RATING AFTER IMPLEMENTATION OF NEW ACTIONABLES;
This is expected risk rating after all the actionable identified are implemented. This gives the target to be achieved and is a useful guide for the risk owner.
6. PREPARATION OF COMPLIANCE RISK REGISTERS;
A Compliance Risk Register needs to be prepared giving all the above information properly documented and signed off by the respective owner. This becomes the “Mother Document “, for future reference.
Risk Registers are prepared for each and every risk. The register typically contains the following information;
Definition of Risk- this definition must be something like a Headline in the newspaper. it gives a summary of the risk in 2 or 3 lines. It must be clearly what the risk is and what it could lead to or result into.
Example- the definition of risk of earthquake could be as follows;
“Risk that”, the earthquake occurs in Bay of Bengal leading to Tsunami in East Indian Coast, resulting into mass destruction of lives and catastrophic claims to the Company”.
KEY RISK REPORT– is the aggregation of the risk register for the key risks identified by the management and is prepared to evaluate and discuss the Company’s Key risks from time to time. Monitoring of key risks report is performed on an at least quarterly basis by the management with the assistance from Risk Management Function. Further Key Risks Report is also discussed at the management and Board level Risk Committees.
The most important step in the Compliance Risk Management process, is the fallow up meeting, at least once a quarter with the risk owner and the actionable owner together to review progress, find out the reasons for sluggishness in progress, if any, and removing the blocks in progress with the help of EXCOM members (Management Committee comprising of all direct report to CEO).
A follow up review meeting may sometimes reveal that the action identified might have to be modified, dropped or new action identified, due to change in circumstances. While such changes are acceptable, there cannot be significant changes to the actions identified. It only denotes that the initial exercise of identifying the actions was not properly done. Further, it results in avoidable wastage of time and efforts.
Compliance Risk Registers must be presented to the EXCOM by the Chief Compliance Officer for their review and advice. This exercise must be done at least once every half year. Any instructions given by EXCOM must be implemented by the Chief Compliance Officer.
Reporting these risks ensures that Senior Management receive the necessary information required to perform their oversite function and to make timely and effective decisions.
CONCLUSION: Since the concept of insurance is based on the concept of pooling of risks of many to pay the claims of few insured, who has suffered insured loss and in other words we can say that the concept of insurance involves a transfer of risk from one party, such as an individual or company buying an insurance policy, to another, such as an insurance company. Insurance companies themselves are prone to many risks in running the insurance business and need to take steps to eliminate or mitigate these risks. There may be various types of risks an insurance company is facing such as Financial Risk, Reputational Risk, Compliance Risk, Legal Compliance Risk etc. The Compliance Risk is the most important risk factor for insurance companies. The Regulator has issued various rules, regulations, guidelines and from time-to-time Circulars and any non-compliance with these will lead to reputational, financial risk to an Insurance Company. In some cases, IRDAI may refuse to renew license or cancel license of insurance company in case of non-compliance. Unless insurance companies manage their risks, they will not be in a position to effectively deliver their values to the customer and stay afloat in the business to achieve their goals.
DISCLAIMER; The entire contents of this document have been prepared on the basis of relevant provisions and as per the information existing at the time of the preparation. Although care has been taken to ensure the accuracy, completeness, and reliability of the information provided, author assume no responsibility, therefore. Users of this information are expected to refer to the relevant existing provisions of applicable Laws and take appropriate advice of consultants. The user of the information agrees that the information is not professional advice and is subject to change without notice. Author assume no responsibility for the consequences of the use of such information.
In case of any Doubt regarding Membership you can mail us at [email protected]
Join Studycafe's WhatsApp Group or Telegram Channel for Latest Updates on Government Job, Sarkari Naukri, Private Jobs, Income Tax, GST, Companies Act, Judgements and CA, CS, ICWA, and MUCH MORE!"
