Risk-Focused Exams and the NAIC’s Internal Control Reporting Requirements:

An Integrated Approach for Efficiencies in Regulatory Compliance

By James Morris

Beginning in 2010, two initiatives by the National Association of Insurance Commissioners (NAIC) which represented significant change for the insurance industry go into effect, the Annual Financial Reporting Model Regulation (AFRMR) and the full implementation of the Risk-Focused Examination (RFE) approach.  Insurance companies implementing the AFRMR in such a way as to incorporate the principles of the RFE approach can directly influence the efficiency of the examination process. Similarly, RFE approach guidance provides some important clues as to how insurers can tackle the task of complying with the AFRMR in a cost-effective manner.

The AFRMR imposes Sarbanes-Oxley (SOX) type internal control reporting requirements on insurance companies, including mutuals and privately-held companies. A substantial number of companies will fall under at least some of the AFRMR’s provisions due to the tiered structure of the rule. Perhaps most significantly, for larger companies with direct and assumed written premiums in excess of $500 million, the AFRMR’s SOX 404-like internal control reporting requirements are triggered, albeit in a manner that is in some respects more lenient than SOX.

That said, efforts to comply with the AFRMR will still represent a significant undertaking for many companies, including some that are already SOX compliant.   This latter point is most significantly highlighted by the fact that the AFRMR applies to a company’s financial reporting as prepared on a statutory accounting basis.  Therefore, many SOX compliant companies will need to document additional processes that are not applicable on a GAAP basis, such as IMR and AVR, or to reflect the differences between statutory accounting and GAAP, such as with deferred income taxes.

The new RFE approach introduces fundamental changes to the manner in which examinations are conducted for all insurers, including:

• A more direct focus on risk – not just those related to financial reporting, but also prospective risks;
• A more holistic view of the audit function at the company, including its oversight by the audit committee; and
• A clearer distinction between enterprise-wide controls and those at the functional level.

The RFE approach begins with the examiners gaining an understanding of the company including factors such as its environment, products, and competition.  Therefore, it is likely that the examiners will look to perform a top-down risk assessment and evaluate the effectiveness of the company’s entity-level controls along with its risk management processes and activities.   This information will be utilized by the examiners to identify the inherent risks the organization faces on both a current and prospective basis.  Unlike SOX and the AFRMR, the RFE approach does not limit the scope of its risk classifications to financial reporting risk alone.  The examiners will also be interested in identifying and evaluating the credit, market, pricing/underwriting, reserving, liquidity, operational, legal, strategic and reputational risks facing the company.

The next phase of the examination will be to quantify the risks to determine their likelihood and potential impact on the organization.  Upon completion, the examiners will seek to identify the controls the company has implemented on an entity-wide and/or process specific basis, assess the effectiveness of their design, and validate the controls to ensure they are functioning. 

Since the RFE approach’s risk assessment process closely resembles the traditional risk assessment models historically utilized throughout the industry, the change should present companies with an opportunity to participate more actively in the exam process by sharing their knowledge of risk management and internal controls with examiners.  By sharing their risk assessments, controls documentation, internal audit workpapers and reports, and other similar information, insurers can proactively demonstrate to examiners that management understands the risks their companies face and that they are being actively managed.   Since much of this information already exists, or will soon be prepared or gathered in order to comply with the AFRMR, most of this can be done with little additional demand on the company’s resources, especially if a company effectively builds and aligns its documentation with examiners’ needs in mind.

Insurance companies that are implementing AFRMR can look to the RFE approach for guidance on assessing risk and documenting internal controls.  The RFE approach is detailed in the NAIC Financial Condition Examiners Handbook and the Handbook contains numerous templates, questionnaires and other tools that companies could use to conduct their AFRMR risk and controls assessments.  In many respects the AFRMR and the RFE are complementary.  Companies can apply the concepts of the RFE approach to both influence the efficiency of the examination process and implement AFRMR.

James Morris is a director for Invotex Group.  He can be reached via email at jmorris@invotexgroup.com.