Advisen: What are the biggest enterprise risks?
Augustine Doe: The biggest enterprise risks insurers face are: would an insurer be able to effectively (1) assess its own business and solvency risks and (2) establish a robust risk governance framework to manage and monitor its risk capital and prospective solvency? This probably explains why the National Association of Insurance Commissioners (NAIC) promulgated the Own Risk and Solvency Assessment (ORSA) Model Act.
Under the ORSA Model Act, insurers subject to the Act are required to file an ORSA Summary Report with their respective state insurance commissioners beginning January 1, 2015. The ORSA Summary Report must: (1) describe the insurer’s risk management framework (2) document the insurer’s assessment of risk exposures and (3) convey the insurer’s risk capital and prospective solvency.
Advisen: What are the emerging risks?
Augustine Doe: Cyber security risks. They continue to evolve and we continue to learn more and more about the risks’ operational and financial impacts. One best practice that we are seeing organizations implement is the purchase of Cyber-security and Technology liability insurance. In addition to this, organizations need to undertake vendor risk reviews and broaden existing security vendor-management systems to include the vendors that the organization and its subsidiaries do business with.
Advisen: Is the insurance industry doing enough to address these risks?
Augustine Doe: Yes, however the challenge continues to be that organizations need to iteratively and recursively execute the programs or systems that would help them manage and monitor these risks on a sustainable basis.
Advisen: From a risk perspective, what keeps you awake at night?
Augustine Doe: The nebulous nature of reputational risk and the speed with which its impacts is felt. Even the best-managed and most risk-aware organization can be derailed. One way to soften the impact is for an organization to have preset processes and responses to address reputational events that are inherent in the organization’s industry. Also, a company should establish a robust communication channel to escalate incidents to the appropriate senior management.
Advisen: What do you think is the most important risk development in the last 12 months?
Augustine Doe: Increased sharing of best practices. The internet and risk-management conferences, seminars, and webinars have become the forum to learn about how peer organizations are dealing with similar issues and challenges. This informal knowledge transfer strengthens and enhances the way organizations approach risk management.
***
Augustine Doe is president and managing director of Outsource Risk Management, a firm that develops Own Risk and Solvency Assessment (ORSA) and Committee of Sponsoring Organizations of the Treadway Commission (COSO)-based enterprise risk management programs for organizations seeking to actively manage and monitor their enterprise-wide risks. Augustine has served in a number of risk management and treasury capacities for private and Fortune 500 companies including CRC Health Corporation, Leap Wireless International Inc., Gateway Inc. and Mattel Inc.