Transcript Revisions to the Financial Condition Examiners Handbook

RISK-FOCUSED SURVEILLANCE
FRAMEWORK UPDATE
Agenda
 Overview of Risk Assessment Cycle
 Conducting Risk-Focused Exams
 Seven Phases to Conducting Exams
 Status and Project Timeline
Risk Assessment Cycle
Supervisory
Plan
Develop Ongoing
Supervision That Includes:
•Frequency of Exams
•Scope of Exams
•Meetings with Company
Management
•Follow-Up on
Recommendations
•Financial Analysis Monitoring
INSURER
PROFILE
SUMMARY
Priority System
•Priority System Based on Dept.
analysis and NAIC financial Analysis
tools:
•Scoring System
•ATS Results
•IRIS Ratios
Internal/External Changes
Consider Changes to:
•NRSRO Ratings
•Ownership/Management/
Corporate Structure
•Business Strategy/Plan
•CPA Report or Auditor
•Legal or Regulatory Status
Examination
•Risk Based Examination
•Identify Functional Activities
•Identify/Assess Inherent Risk
•Identify & Evaluate Controls
•Determine Residual Risk
•Establish Procedures and
Conduct Exam
•Update Supervisory Plan
•Exam Report//Mgmt Letter
Off-Site Risk
Focused Financial
Analysis
•Financial Analysis includes:
•Risk Assessment Results
•Financial Analysis Handbook
Process
•Ratio Analysis (IRIS, FAST,
Internal Ratios)
•Actuarial Analysis
•Update with internal/external
changes
Examination
•Risk Based Examination
•Identify Functional Activities
•Identify/Assess Inherent Risk
•Identify & Evaluate Controls
•Determine Residual Risk
•Establish Procedures and
Conduct Exam
•Update Supervisory Plan
•Exam Report//Mgmt Letter
Off-Site Risk Focused
Financial Analysis
•Financial Analysis includes:
•Risk Assessment Results
•Financial Analysis Handbook
Process
•Ratio Analysis (IRIS, FAST,
Internal Ratios)
•Actuarial Analysis
•Update with internal/external
changes
Internal/External
Changes
Consider Changes to:
•NRSRO Ratings
•Ownership/Management/
Corporate Structure
•Business Strategy/Plan
•CPA Report or Auditor
•Legal or Regulatory
Status
Priority System
Priority System Based on Dept.
analysis and NAIC financial
Analysis tools:
•Scoring System
•ATS Results
•IRIS Ratios
Supervisory Plan
Develop Ongoing
Supervision That Includes:
•Frequency of Exams
•Scope of Exams
•Meetings with Company
Management
•Follow-Up on
Recommendations
•Financial Analysis
Monitoring
Insurer Profile Summary
 General/Basic Information
 Business Summary
 Priority Rating
 Regulatory Findings
 Regulatory Plan
 External Information
 Key Financial Data
 Overall Summary
Seven-Phase Examination
Process 1-4
 Phase 1 – Understand the Company and
Identify Key Functional Activities to be
Reviewed
 Phase 2 – Identify and Assess Inherent Risks in
Activities
 Phase 3 – Identify and Evaluate Risk Mitigation
Strategies/Controls
 Phase 4 – Determine Residual Risk
Seven-Phase
Examination Process 5-7
 Phase 5 – Establish/Conduct Exam Procedures
 Phase 6 – Update Prioritization and
Supervisory Plan
 Phase 7 – Draft Exam Report and Management
Letter Based on Findings
Risks Othe r than Financial Re porting
Financial Re porting Risks
Phase 5
Phase 6
Phase 7
4a
4b
4c
Re sidual Risk
Asse ssme nt
5
6
7
Report Findings &
Management Letter
Comments
Overall Residual Risk
Assessment
Judgmental Residual
Risk
Phase 4
Prioritization Results
Supervisory Plan
Phase 3
Examination
Procedures / Findings
3b
3c
Risk Mitigation
Strate gy/Control
Calculated Residual
Risk
3a
Overall Risk
Mitigation
Strategy/Control
Assessment
Phase 2
Evidence & Document
Testing Controls
2c 2d
2e
Inhe re nt Risk
Asse ssme nt
Risk Mitigation
Strategy/Control
Overall Inherent Risk
Assessment
1a
Impact
2a
2b
Risk
Ide ntificatio
Likelihood
Phase 1
Branded Risk
1d
Identified Risks
Sub-activities
Risk Assessment Matrix
Ke y
Activity
1b – Ove rall Risk
1c – Analytical
Phase 1 – Understand the
Company/Identify Key
Activities
Parts to Phase 1
1. Understanding the Company
2. Understanding the Corporate Governance
Structure
3. Assessing the Adequacy of the Audit
Function
4. Identifying Key Functional Activities
5. Consideration of Prospective Risks
Phase 1 – Understand the
Company/Identify Key
Activities
Steps to Part 1Understanding the Company
1.
2.
3.
4.
Gather Necessary Planning Information
Review the Gathered Information
Analytical and Operational Reviews
Consideration of Information Technology
Risk
5. Update the Insurer Profile
Phase 1 – Understand the
Company/Identify Key
Activities
Part 2- Understanding the Corporate
Governance Structure
 Understanding the Organizational Structure
 Understanding & Assessing the Board of
Directors
 Understanding & Assessing Management
Phase 1 – Understand the
Company/Identify Key
Activities
Part 3-Assessing the Adequacy of the
Audit Function
 External audit
 Internal audit
Phase 1 – Understand the
Company/Identify Key
Activities
Part 3-Assessing the Adequacy of the
Audit Function
External
 Provide understanding of control structure
 Understand CPA’s risk assessment
 Review compliance and substantive
procedures
Phase 1 – Understand the
Company/Identify Key
Activities
Part 3-Assessing the Adequacy of the
Audit Function
Internal




Financial
Operational
Compliance
IS or Technology
Phase 1 – Understand the
Company/Identify Key
Activities
Phase 1 – Understand the
Company/Identify Key
Activities
Part 4- Identify Key Functional Activities
 Identify key activities using company background
information from various sources.
Phase 1 – Understand the
Company/Identify Key
Activities
Part 5-Consideration of Prospective Risks
 Consideration of prospective risks is an intrinsic
element of a risk-focused examination and should
occur throughout all phases of the examination
process
Phase 2 –
Identify Inherent Risk
 Key activities and sub-activities identified in Phase
1 are the building blocks for identifying inherent
risk.
 Inherent risk is the risk before considering internal
controls.
 The examiners asks the question, “What can go
wrong?” for each of the key activities.
Phase 2 –
Identify Inherent Risk
Inherent risk that has been identified is then
classified into the branded Risk
Classifications.
Credit
Market
Reserving
Liquidity
Legal
Strategic
Pricing/
Underwriting
Operational/
Financial Rptg.
Reputational
Phase 2 –
Assess Inherent Risk
Inherent risk is assessed by considering:
 the likelihood of occurrence,
 the magnitude of impact and
 examiner’s judgment.
Phase 2 –
Assess Inherent Risk
Likelihood of Occurrence: The likelihood that
the risk will occur or would prevent a process or
activity from attaining its objectives.
 Low: rare occasions.
 Moderate-low: at some time.
 Moderate-high: probably occur at some time.
 High: expected to occur most of the time.
Phase 2 –
Assess Inherent Risk
Magnitude of Impact:
The potential impact or potential materiality of a risk.

Magnitude of Impact is measured as:
 Threatening: Greater than 5% of surplus
 Severe: 3-5% of surplus
 Moderate: 1-3% of surplus
 Immaterial: Less than 1% of surplus
Phase 2 –
Assess Inherent Risk
Probability of Occurrence
High
Moderate-High
Moderate-Low
Low
Threatening
High
High
High
Moderate
Magnitude of Impact
Severe Moderate
High
High
High
Moderate
Moderate Moderate
Moderate
Low
Immaterial
Moderate
Moderate
Low
Low
Phase 3 –
Risk Mitigation Strategies
 The insurer’s control risk should be assessed
by determining how well the risk mitigation
strategies/controls offset the inherent risks
identified
 Leverage off work of external/internal audit
and company self-assessments.
Phase 3 –
Risk Mitigation Strategies
The Overall Risk Mitigation Strategy/Control
Assessment ratings to be indicated in the
Risk Assessment Matrix are:
 Strong Risk Management
 Moderate Risk Management
 Weak Risk Management
Phase 4 –
Determine Residual Risk
Inherent Risk – Internal Controls = Calculated
Residual Risk
Overall Residual Risk = Calculated Residual Risk
+/- Examiner’s Judgment
Phase 4 –
Determine Residual Risk
Strong
Controls
Moderate
Controls
Weak
Controls
High IR
Moderate to
High
Moderate to
High
High
Moderate IR
Low to
Moderate
Moderate
Moderate
Low IR
Low
Low
Low
IR = Inherent Risk
Phase 5 – Establish/Conduct
Exam Procedures
 After completion of the Risk Assessment for key
activities, the nature and extent of testing can be
determined and the examination procedures
designed accordingly.
 Examination procedures should be selected to
correspond with the financial reporting and other
than financial reporting risks noted within the
entity.
Phase 5 –
Establish Exam Procedures
Key Concept:
Focus examination effort where there is more risk.
Examination procedures should be designed to focus on the
risks that remain after consideration of internal controls.
 High Residual Risk – Substantive tests
 Moderate Residual Risk – Fewer substantive tests and
analytical procedures
 Low Residual Risk – Minimal substantive tests, more
analytical procedures, potentially eliminate tests.
Phase 6 – Update Prioritization
and Supervisory Plan
 From relevant and material findings:
 Update priority score
 Establish the Supervisory Plan for on-going
analysis
 Examination Report and Management
Letter should be a reflection of the
Prioritization and Supervisory Plan
Phase 7 – Draft Exam Report
and Management Letter
 Examination Report – Contains the findings of the
examination related to the scope
 Management Letter – Optional tool to convey results
and observations noted during the exam that are not
needed in the public report
 Vehicle for ongoing dialogue with insurer
 Content determined by state insurance department
Timeline
2004-2006 Handbook
Revisions Exposed
for Comment
2004 Adoption of
Risk-Focused
Surveillance
Framework
2006 - 2009 – Training
Program for Implementation
of the Risk-Focused
Process
2006 – Adoption of the Revisions
to the NAIC Financial Condition
Examiners Handbook
2007-2009
Dual
Examination
Approach
2010 Proposed
Accreditation
Standards