It Figures Podcast: S2:E15 – Insurance Compliance and Regulatory Examination Process in 2021

Speaker 1:

From Carr, Riggs & Ingram, this is It Figures: The CRI Podcast, an accounting, advisory and industry focused podcast for business and organization leaders, entrepreneurs, and anyone who is looking to go beyond the status quo.

Scott Bailey:

Hello, everyone, and welcome to the It Figures podcast, the podcast of Carr, Riggs & Ingram, or CRI as we refer to ourselves, and today’s topic is going to cover ORSA requirements and changes to the regulatory exam process. I’m joined today by Andrea Harbison out of our Jackson, Mississippi office. How are you today, Andrea?

Andrea Harbison:

Hey, I’m doing well.

Scott Bailey:

Great. And if you wouldn’t mind, maybe just give us a little bit of background and where you’re coming to us from on this topic.

Andrea Harbison:

Yeah. So I’m a senior manager out of the Jackson office, and I provide audit and business consulting services to insurance companies, but I also provide regulatory examination services to various departments of insurance. And so I have a little over 10 years of experience in the insurance sector here at CRI, and I’m also involved in numerous insurance organizations, such as the NAIC, SoFi, and IRIS.

Scott Bailey:

Perfect. Perfect. Yeah, Andrea is definitely one of our insurance rock stars in the firm. My name is Scott Bailey, and I’m an audit partner out of our Raleigh, North Carolina office, and I focus on insurance as well. So once again, thank you for joining us, and you can find this podcast on all the places where you would normally find a podcast, and you can find our content on Facebook, and Instagram, Twitter, all those lovely places. So with that, Andrea, let’s jump right in on this topic.

So today, we’re going to talk about ORSA requirements, as we said at the top, as well as some changes coming to the regulatory exam process. Let’s start with ORSA, and just for the folks who may not be very familiar with that term, or some who may not be familiar with it at all, could you give us a brief rundown on what that means, and who needs to pay attention to it?

Andrea Harbison:

Sure. So ORSA is actually stands for Own Risk and Solvency Assessment. And what this is, it is for insurance companies that have about 500 million or more in annual direct and assumed premium. So ORSA would only apply for kind of like your mid to large size entities. And it does also apply for those insurance groups that write more than one billion in annual written and assumed premium. So it’s not going to be for the small entities. It is going to be for just those larger and midsize insurance companies. And an insurer that is subject to ORSA would be expected to at least annually conduct a risk assessment to assess the adequacy of their risk management frameworks, such as their enterprise risk management function.

And they would also need to determine and estimate their current and future solvency positions. And what they would also do, they would internally document this process and the results of their assessment, and then they would have to provide a confidential high level ORSA summary report that would need to be filed with the state of the domicile. So ORSA, essentially, it’s just an enhanced oversight tool for the company to use, and it forces management to look at all functions of the entity to determine what risk are affecting the company, what controls are in place to mitigate those risk, and to ensure is the company adequately capitalized to endure any significant negative trends associated with those risk? So if done properly, ORSA should really help to foster an effective level of ERM.

Scott Bailey:

It’s funny you say that, because as you were going through it, I was thinking I was making the same comparison in my mind to ERM, or enterprise risk management, which we’re also seeing a lot of that going on with financial institutions, and really starting to cross over into in commercial businesses. But back to ORSA there. So what is it now that’s really bringing this to the forefront? Why is this sticking out in the regulatory mindset? What’s bringing this to the top?

Andrea Harbison:

So it really does come back to why was ORSA adopted in the first place? So because of the 2008 and 2009 financial crisis, you had non-insurance components of a holding company that took on huge losses from these risky investments. This calls financial uncertainty, and sometimes even nearly a collapse of an entire holding company system. That included those US insurers. So let’s fast forward a little over 10 years, and we have this worldwide pandemic that has called billions of dollars in losses for companies.

So regulators are still very much focused on ORSA, because we’re living in a time where a company’s success or failure might very well be reference as to how they managed and they dealt with COVID, and not just with COVID itself, but how did they navigate what is considered our new normal or post COVID era? How did they handle that? So that’s one reason why this is such still a very hot topic for regulators, and also this event, although it may not have been something that was on insurance companies’ forefront pre-COVID, it would obviously be looked at now, and could potentially even be included in a company’s ORSA filings that would be filed this year.

Scott Bailey:

And some of these, I think for some areas, maybe some states, it seems like these ORSA filings are somewhat new. Isn’t that right?

Andrea Harbison:

They are. So the ORSA, which was Model law (#505), went into effect in 2015, but some states did not fully adopt that Model law until a few years later. So you have these ORSA summary reports that are still fairly new. Some of the DOIs only have seen just a few of these for maybe three years. So it’s still a learning stage, I guess you would call it, for both the insurance companies and the DOI. So that’s still one reason why it’s such a big topic for regulators.

Scott Bailey:

Absolutely. And I guess when you consider the fact that one of those years that they’ve looked at includes a pandemic year, it’s really hard to sort of figure out what the baseline is going to be, I guess.

Andrea Harbison:

Yes. Absolutely.

Scott Bailey:

So what exactly are the significant changes that we’re seeing? We’re trying to advise our clients, and sort of give them what we’re seeing on the horizon, what’s coming, and things like that. What are the things that you’re seeing that you think are really going to either maybe rock the boat, or maybe not rock the boat, but definitely some changes that both the regulators and ORSA filers are going to feel?

Andrea Harbison:

So something that we would really expect the DOIs to have increased scrutiny over would be what is in the ORSA, but really most importantly, what’s not included in the ORSA? Especially given this pandemic situation we’re currently facing. This past year really forced companies to reassess risk. And you would expect that that reassessment to be reflected in the ORSAs that would be filing for this particular year. And ORSA is not meant to just be an annual review where you check it off the list to satisfy the regulators. It is meant to continuously evolve over time. So it should be a component of the ERM framework that encourages management to anticipate potential capital needs, and to take proactive steps to reduce those solvency risk.

So what you would expect, or the DOI would expect, to see a progression in the development of that first ORSA filing that was prepared by the company compared to the most recent. So if the DOI isn’t seeing much progression in the development of that ORSA filing year after year, then there may be some uncertainty as to whether the company is truly following their ORSA, or if it’s just there for the sake of checking off a box. But if done correctly, ORSA really should help an organization improve the identification of strategic risk, and again, it would help improve their ERM function.

Scott Bailey:

So basically, if say the DOI got one of these filings, and it sort of looked like a carbon copyish, or very similar to what it would look like say for last year, or even the year prior, it seems like that would maybe throw up a red flag for them?

Andrea Harbison:

It absolutely would. I mean, you would expect maybe some of the risk, the top risk identified, in ORSA would still be similar year to year, but especially given COVID and everything that we’ve gone through, we would highly anticipate there would be some changes in the filings that would occur for this year. And also based on some of the feedback that we’ve received from the regulators, along just with our own observation that we do during the examination process, there are times when the key and emerging risk that have been identified in that ORSA, they may not always clearly identify the mitigating controls in section two of the ORSA.

So ORSA does have section one, two, and three included in there, and in the section two, this is where the insurance companies should go through all of the mitigating controls, and sometimes there’s just not a good enough linking between those risk and then the controls that are identified. So we really would expect the regulators to take a closer look at those companies risk, and to make sure those controls are being properly identified, and also we would expect the regulators to even look closer as to, okay, you’ve identified these risk, maybe top five or top 10 risk. Are these actually risk that we’re seeing in the industry ourselves? So that’s something that we definitely would expect the regulators to look at.

And also another note, you do have examiners are now required to look at certain things that are included in the ORSA. So if you’re putting controls in there to help mitigate these risk, those examiners are going to heavily review your ORSA, analyze it, and test it. So insurance companies just need to make sure that they are aware that the examiners will be looking at this pretty heavily.

Scott Bailey:

Hmm. Good to know for sure, and certainly important. And as part of that, we started talking about the regulatory exam process, which is everyone’s favorite. Just sort of dovetailing into that from ORSA, but diving in a little more deeply on what we see coming from the regulatory exam process, what are some of the things that we’re seeing on the horizon? As we’ve said, we’re dealing with another year of pandemic, and all the effects that that’s having on the market, so what are we seeing from the regulators? What are we seeing from insurance companies there?

Andrea Harbison:

Yeah. So this is something that the regulatory exam process is still kind of changing constantly. It’s still pretty fluid, and depending on the state of domicile, you may get a different answer on this, but the feedback that we’ve received from regulators, and just what we have seen is, if you recall, a lot of these exams pre-COVID, they would have the examiners onsite for different things. A lot of times for your kickoff meeting the DOIs would want the examiners on there sitting at the company, and then especially for the C-level interviews, and those are interviews with your CEO, CFO, the chief actuary. Those would always be held in person as well, in addition to the walk-throughs.

Well, since COVID, obviously, examiners and DOIs, they really had to change that approach pretty drastically. And obviously, one of those is working remotely and having virtual sessions. And so you still have some DOIs that are in the office maybe on a rotational basis, but a lot of them are still 100% remote. And so given this situation, I would expect for these upcoming exams, and even exams that are current, I would still expect those to be 100% virtual. And while some companies may be absolutely excited about this, they don’t have to worry about paying the travel costs for the examiners, or accommodating them onsite, giving them a location to stay, you do have to remember with a remote work environment it does mean there’s a lot of screen time involved.

So there’s going to be a lot more virtual meetings, and so the examiners really aren’t going anywhere, but you may find it where you actually have to provide a lot more assistance to them, just because they aren’t onsite, and they can’t go to this department directly as easily as they could before. And actually, I completed an entire exam this past year 100% remote. And so what you would expect on, potentially, an exam, for example, when you had to do a walkthrough and do system controls, I sat down with, for example, it was a claims manager. And he shared his screen, and I took screenshots of certain warnings, and red flags, and messages that came up, so that I could get my controls and show that I observed the controls in place, and it worked out perfectly fine.

It may have taken a little longer than just being onsite at the company, but I would expect at least for this year and probably even next year for these exams to be 100% virtual for the most part. And we also would expect these exams to have a lot more emphasis on cyber security. Now, granted this is something that’s been a hot button for several years, just because of all the breaches that have occurred, but I would think even more since you have so many people working remotely. That would be something that your IT examiners would look into more heavily, and the DOIs would want to look into that.

Scott Bailey:

Right. Right. Right. For sure. So it sounds like certainly some of the challenges and opportunities for the exams coming up in the next 12 to 24 months, it sounds like making time for dialogue, and having to be a lot more intentional about making that time for dialogue, and then, again, that cybersecurity thing just keeps hanging around, doesn’t it?

Andrea Harbison:

Yes. That one is definitely not going anywhere anytime soon, so that would be something, if they haven’t already done so, the company needs to make sure they’ve got the right IT policies and procedures in place to address those risks that they have. And also something else that we feel like the examiners obviously would inquire about would be how did the company react to COVID? Did they follow the company protocols, or did they have to make changes? Obviously, most companies never would have thought they would’ve had to have a shutdown for not just a few days or a few weeks, but for months.

And so I think it’s perfectly fine for the company to talk with the regulators and say, “Yeah. We went through our plan, our plan said to do this, this, and this, and when we got into it, we realized when we had to send 300 people home, that plan didn’t go exactly according the way that we would prefer. So we had to make some improvements. We had to make some adjustments on the fly.” So insurance companies need to be ready to kind of explain how they reacted to COVID, especially sending everyone home. I know that was a big deal for all companies involved, not just insurance companies, but that would be something too they just need to have on the back of their mind to discuss that with the regulators.

Scott Bailey:

For sure. And it sounds like really both of these issues, circling back to our discussion on ORSA, really fit in well for companies that have a really strong ORSA, or ERM program, or even sort of a basic level disaster response, disaster recovery program.

Andrea Harbison:

Yes, absolutely. It would.

Scott Bailey:

Great. Any closing thoughts that you’ve got?

Andrea Harbison:

No, just really the only other things related to potential exam changes, or just emphasis on the exam would be maybe the early retirements that did occur in COVID. Companies just need to make sure they do have a solid succession plan in place. That’s always been something on the regulator’s mind is does this company have a succession plan? What if something happens to this person? What if something happens to the CFO unexpectedly? So that would just be something I think, because of all these early retirements, a company needs to make sure that they have a solid succession plan in place in case something were to happen.

Scott Bailey:

Absolutely. Absolutely. Well, Andrea, thank you so much for your time and for your expertise. We really appreciate you making time to be a part of this podcast and for talking with us today, and thanks to you, the listeners. We appreciate you tuning in, and again, you can find our content on all the major platforms, Facebook, Instagram, Twitter, LinkedIn. We’re out there, and you can find this podcast where you find your regular podcast activity. Thanks again for joining us, and this is the end of this episode of the It Figures podcast by CRI.

Speaker 1:

If you want more CRI insights or are interested in learning about our firm, please visit our website at cricpa.com. Thanks for listening to this episode of It Figures: The CRI Podcast. You can subscribe to It Figures on iTunes, Spotify, or wherever you prefer to listen to your podcasts. If you liked what you heard today, please leave us a review.