Published 26 October 2022
In July 2021 the Australian Prudential Regulation Authority (APRA) required 10 general insurers to undertake a self-assessment of their risk management frameworks, in response to business interruption (BI) insurance coverage issues that arose from lockdowns and other COVID-19 restrictions.
The legal uncertainty as to whether cover had applied, the potential for significant financial exposure for insurers, and the impact on consumers during the height of the pandemic raised fundamental concerns about the strength of insurers’ risk management frameworks. APRA therefore required participating insurers to do the following:
- Review the robustness of their insurance risk management framework, assess whether it was effective in the context of BI, and identify areas for improvement.
- Assess the extent to which the insurance risk management framework would be effective in mitigating similar issues emerging within other product lines, including cyber risk.
- Provide a Board-endorsed assurance over the self-assessment, together with a remediation plan to address any identified deficiencies.
The self-assessments were completed in November 2021 and APRA has discussed the results with each participating insurer. In all cases, weaknesses were identified that needed addressing and rectification plans are now in place to make the necessary improvements.
While the individual insurer self-assessments are not being published, APRA has consolidated the key insights, including observed weaknesses and better practices. APRA expects all insurers to consider their own operations and practices in the light of these findings.
- Most insurers assessed the main reason for the BI issues was their failure to update policy wordings for the change in legislation. Many insurers acknowledged their awareness of the Quarantine Act legislation change in 2016, but for various reasons had not adjusted their wordings by the time the COVID-19 pandemic had commenced.
While this was an obvious area of failure, it takes a narrow view and ignores other vulnerabilities in BI wordings to possible pandemic exposure that may continue to exist. APRA urges insurers to be more alert to their susceptibility to risks arising from inadequate attention to policy wording. The focus on policy wording should be broader than legislative updates and should also be extended to all classes of business.
- Some insurers also acknowledged that, while they became aware of the problem once COVID-19 impacted Australia, the issue was given lower priority than other matters. In all cases this reflected a breakdown in sound insurance risk management and culture in areas such as risk acceptance, risk awareness and quantification. The risk of writing unintended pandemic cover should have raised concern across all three lines of defence, had visibility at Board level, and led to appropriate risk mitigation in response.
- It was observed by APRA, and acknowledged in many insurer engagements, that the most common exposure in the Australian market to unintended BI losses was in policies written in the small-to-medium enterprise (SME) segment. This observation was largely driven by the volume of complaints and cases included in the Federal Court actions in 2021. Given the lack of comparable action for larger clients, insurers should consider what the drivers were for such different outcomes for policies written for SME compared to larger clients, such as business type/size or distribution channel and subsequent controls around bespoke wordings.
- When exploring with insurers why wordings in the SME segment may have been more vulnerable, a “first-mover” disadvantage was raised by insurers. It was perceived that insurers would lose business if they revised wordings to bring risks within their risk appetite. This factor was not included in the written insurer self-assessments, however APRA recommends insurers challenge their approach in this area to ensure that risks underwritten are appropriately aligned with their risk appetite.
- Some insurers reported a mismatch between their policy wordings and the reinsurance contracts covering the risk. This misalignment exposed those insurers to the potential of reinsurance failing to respond, leaving them vulnerable. All these insurers acknowledged this was a breakdown in insurance risk management and have taken robust action to fix this issue.
- Many insurers acknowledged that the multiplicity and complexity of similar policy wordings contributed to their risk management weaknesses, and that consolidation, simplification and improved controls over wordings were the key remediation actions. The additional risks inherent in utilising third party underwriting arrangements was identified as an area for insurers to strengthen their controls.
- In their responses to assessment of their risk management of silent and affirmative cyber insurance, most insurers articulated a considered and carefully managed approach to coverage. Observations included an emphasis on clarity of coverage and exclusions for all stakeholders, with an ability to measure aggregate exposure for affirmative cyber cover a positive risk management feature. Some insurers still had work to do, particularly in the silent cyber area, to ensure they fully understood their potential aggregate exposures.
- The integration of insurance risk management into their broader risk management framework was acknowledged by some insurers to be underdeveloped. Some had simply assumed that underwriting teams had effective controls due to the existence of underwriting authority statements and manuals. The conclusion by these insurers was that insurance risk management in fact required distinct oversight by all three lines of defence as was the case for other risk categories within their overall risk management framework.
- For all participants, the results showed the importance of monitoring and testing the effectiveness of insurance risk controls with appropriate frequency and intensity, to cater for changes to the internal or external environment, including emerging and evolving risks.
The Appendix to this letter sets out these findings and better practices in more detail.
APRA’s supervisory focus for the coming period will concentrate on the effective completion of the remediation plans of participating insurers. APRA expects non-participating insurers to consider conducting their own self-assessments and adapt the learnings to their operations.
Insurance risk management forms part of APRA’s ongoing supervision activities with all insurers, including reinsurers. Where APRA considers significant risks remain, it will conduct targeted prudential reviews to ensure they are adequately addressed. Where progress is unsatisfactory, APRA may consider stronger supervisory measures to ensure meaningful and enduring change. This letter should be tabled for discussion at the next Board meeting.
APRA Deputy Chair
1. Risk Governance and Controls
Multiplicity and complexity of policy wordings
Many of the insurers whose BI wordings were found to be unclear in their coverage or exclusions had multiple versions of such policy wordings operating across numerous channels, including wordings kept in existence for legacy arrangements.
Managing multiple wordings for the same product over various distribution channels inhibits effective insurance risk management, as highlighted by risk governance and control failures not preventing unintended pandemic cover within BI.
APRA has concerns with variations in wording being used without an appropriate governance framework and robust processes to assess variations against underwriting appetite. This is more prevalent in the SME/retail sector, where many insurers noted the challenges of coordination across multiple insurers for even small changes to agreed “scheme” or “platform” arrangements, and where intermediaries required use of their own (rather than the insurer’s) wording. This concern is further exacerbated by outsourced underwriting arrangements and the additional controls necessary to oversee these. Insurers should ensure appropriate governance frameworks, processes and controls in relation to policy wordings are in place, and regularly reviewed, as part of their risk management process.
Product life cycle management
APRA found that many participating insurers had ad hoc and poorly coordinated management of insurance risk controls. Product life cycle controls were missing, incomplete, or over-reliant on individuals and varied considerably across insurers in terms of weakness. There was a general lack of end-to-end product management spanning the critical teams (product development, pricing, underwriting, distribution, and claims) required to ensure products maintain their integrity throughout the life cycle. Moreover, for some insurers the challenge of monitoring the rigour of the product cycle was compromised by the immature integration of insurance risk management into the broader enterprise risk management framework.
A quality assurance or control testing program is an important component in ensuring the ongoing appropriateness of the risk management framework for the whole of the product management cycle. Independent internal audit is used by most entities as a valuable third line of defence but should not be the only component of a robust assurance program.
Misalignment between policy wording and reinsurance treaties
Most insurers rely on reinsurance arrangements to protect their balance sheet and solvency position. The success of that strategy is contingent on ensuring that no gaps remain between the protection received from the reinsurance and the risks underwritten by the primary policies. A periodic, timely and robust assessment of the potential disconnect between primary policies and reinsurance treaty wordings is critical to avoid gaps in insurance coverage.
2. Risk Appetite
First mover disadvantage
APRA observed, through discussions with insurers, a reluctance to put in place more restrictive cover before their competitors, concerned this action would result in loss of business. This seemed most prevalent in the SME segment where, as noted above, broker or agency wordings are often required to be used to gain access to schemes, other bulk placement arrangements or online trading platforms. Insurers should take steps to empower key decision-makers to make appropriate risk decisions, consistent with the insurer’s risk appetite, in these circumstances.
A robust framework to manage insurance risks should provide conscious acceptance of risks and coverages based on the insurer’s risk appetite. Where risks accepted are identified as not fully aligned with the risk appetite, a risk acceptance process should be in place to ensure the deviation from risk appetite is subject to robust governance.
Identifying and quantifying risks in this manner as part of a strong governance process for risk acceptance would mitigate the issue of first mover disadvantage and strengthen underwriting discipline more broadly.
A lack of clarity in accountability for risk was a contributing factor to the delay in identifying the need to update policy wordings and addressing the update of policy wordings after the problem was identified.
Further, for some insurers, the immature integration of insurance risk into the organisation’s broader risk management framework exacerbated the lack of clarity around accountability for both identification of issues and follow up action when identified.
Without clear accountability for risk, it is more likely that risks will be missed or ignored, and that the management of and response to risks will be more reactive than proactive, and with short-term solutions adopted rather than preventative, long-term solutions that address root causes.
4. Risk Capabilities
A common concern was that risks were either not identified, or were identified and not appropriately quantified, escalated and resolved in a timely manner. Through discussions with the insurers, APRA attributes this to a lack of risk awareness in Line 1, and a lack of robust challenge from Line 2. APRA found all entities had room for improvement in this area.
Despite new BI covers having the correct legislative references, APRA remains concerned that exposure to unintended cover may remain in some policies under a pandemic scenario. APRA notes the UK experience in relation to BI where the issue of incorrect legislative references did not arise but insurers were nevertheless found by the courts to be on risk for unintended cover. APRA encourages insurers to take a broader view when conducting risk identification and quantification, including being aware of experience within and beyond the Australian market.
Emerging and evolving risks
APRA found that the identification, quantification, and escalation of emerging and evolving risks was not effectively embedded in regular risk management framework activity. Most insurers identified potential exposure through emerging risk committees and forums, but potential severity was either not quantified, or was underestimated, and therefore resolving the issue was not prioritised.
Risks should be assessed based on their materiality to focus resources and attention. Assessing the materiality of emerging and evolving risks is more challenging than for more familiar and known risks for which there are substantial amounts of experience data. Low frequency or probability risks may have high potential severity and so should not be ignored in assessing risk exposure. Risks that could generate events impacting capital resilience should be identified as such and receive corresponding considerations and treatment. Applying a “what if” mindset can help identify vulnerabilities that could threaten an entity’s capital position. Better practice of emerging risk identification includes quantification of the worst-case scenario to ensure appropriate traction and prioritisation, typically through scenario analysis.
The following are examples of better practice observed by APRA from a range of insurers.
Central repository of wordings
- Improved product life cycle management.
- Enables identification and assessment of the need for wording updates and brings greater governance in product version control.
Clear responsibility and accountability for the management of risks across the three lines of defence
- Clear Line 1 responsibility and accountability supported by adequate capability and capacity.
- Clear role of Line 2 in supporting and challenging Line 1.
Affirmative statements of cover
- Reducing the ambiguity of cover by using affirmative statements of cover rather than seeking to exclude elements from “all risk” covers. Primarily suggested for emerging and evolving risks such as cyber, and/or where aggregate exposures can be extremely large or are difficult to calculate.
- Identification of events/risks, such as pandemics, that could threaten capital position and clear statements in policy wordings that cover is not provided for these events.
Complete controls documentation supporting robust control testing and assurance processes
- A regular testing of the effectiveness of the controls is a foundation of a proactive management of risks.
- Regular testing allows entities to identify areas of potential vulnerabilities as internal and external environments change and controls need to be amended or improved.
- Complete documentation provides confidence during times of staff changes and business change as well as providing an audit trail.
Performing root cause analysis
- Allows remediation of underlying weaknesses before a material loss can arise.
- A key component and outcome of a healthy risk culture.
- Enables lessons learned to be applied more broadly than just the specific issue being reviewed.
Reflection and sharing of lessons learned
- Enhance resilience by sharing of lessons learned in appropriate forums within organisations as well as across the industry.
Quantification of risks to assess potential materiality
- Avoids the situation that identified risks are left unaddressed without appropriate acceptance and prioritisation.
- Risks with potential material impact are identified using tools such as stress testing, scenario analysis or ‘what if’ analysis.
- Risks with potential material impact are escalated, addressed, or accepted.