In the Insurance Sector, Data Governance is Back on the Agenda
Today, insurers face numerous challenges that go to the nub of their business models. Customers are seeking new types of cover, new periods of cover and new ways of being serviced – all of which require greater investment in systems, processes, and data management.
At the same time, greater longevity, combined with sustained low interest rates are putting balance sheets under pressure as never before, placing a premium on the efficiency, flexibility and dynamism of the business. New and emerging risks — such as cyber, smart contracts, as well as changing tax and accounting treatments of risk — are placing new demands on product development, data management and investment performance. And the real impact of COVID-19 is yet to be seen.
Regulatory pressures are extremely challenging too – among others SOX in the US and IFRS 17 and Solvency II in the UK & EU. Solvency II in has been a topic of industry conversation for a long time now, but most recently in the insurance sector. The Prudential Regulation Authority (PRA) has clear expectations of how firms seek approval to use internal models as well as how they apply for approval to make changes to their approved internal models.
Against this backdrop, and recognition among insurers that efficient and effective data is key to responding to industry and business challenges, data governance across their End User Computing (EUC) environment is now a critical business priority.
The ubiquity of spreadsheets
Spreadsheets are ubiquitous in the insurance sector. Spreadsheets are often core to a whole range of asset management, risk management, pricing, reserving, bordereau management, actuarial, portfolio management and compliance functions, for example. On examining their processes, insurers will almost certainly find that to a large extent, their business relies on spreadsheets for portfolio management, capital calculations, pricing models, mortality rate tables and more — as well as for the data used in regulatory and management reporting.
For actuaries, for instance, they are their ‘go to’ application for data manipulation. Spreadsheets are powerful tools to run complex calculations. It is far easier to link multiple data sources for data flow and hence a spreadsheet model is far quicker tool to use for delivering an output to a new question or for a new business case than an enterprise IT system.
But the downside is that these spreadsheets sit outside the managed IT and GRC infrastructure – even when these models transition from ad-hoc tactical fixes to strategic models and calculators. Uncontrolled and unmonitored, they pose operational, financial, regulatory and reputational risk to insurers.
The importance of controlling spreadsheets for insurers
From a regulatory standpoint, especially Solvency II in the EU, and ORSA in the US, insurers need to confidently and accurately meet their regulatory reporting obligations in timely way, if they are to avoid the risk of fines and reputational damage. Similarly, in the US, SOX compliance is a significant concern as auditors and the SEC are scrutinizing the use of spreadsheet more closely. It should be pointed out that these organisations aren’t averse to insurers using spreadsheets – they in fact recognise the value they deliver to the business. They are merely demanding best practiced and monitored usage of these tools.
Auditors themselves are under pressure from their watchdogs for audit failures and violation of quality standards to enforce SOX compliance by organisations. They need to demonstrate their value. Aware of the risks that spreadsheets present, auditors have made it their prime focus of their audit activity. If an insurer’s spreadsheets aren’t fully controlled, preparing for an audit becomes a scramble.
The operational risk emanating from spreadsheet usage is quite high. Spreadsheet models and calculators are often user-developed and so often, there may be only one or two people in a business unit who may know of the existence of a particular EUC and/or how it works, where it sits in the EUC landscape, who maintains it, how it links with other data sources and so on. Should either of these individuals leave the organisation, the knowledge walks out with them too!
Low returns are creating a more competitive insurance industry landscape and leading to an increase in mergers and acquisitions. Consolidating and rationalizing processes and IT becomes even more complicated when it involves unmanaged spreadsheets running critical business processes.
Similarly, mispricing products can have a major impact on an insurance firm’s profitability. In the current environment of low interest rates and low investment returns, there’s little margin for pricing error.
[bctt tweet=”There may be only one or two people in a business unit who may know of the existence of a particular EUC and/or how it works.” username=”MitratechLegal”]
The way clear: a technology-supported framework
The good news is that all these risks are easily mitigated by building a framework that governs spreadsheet risk management – underpinned by technology and automation. As well as increasing transparency around insurer’s spreadsheet data and how it’s used, this approach gives confidence that the right checks and balances are in place. More crucially, insurers can move to a state of continuous audit that requires much less effort than the just-in-time audit preparations that are typical today.