Enterprise Risk Management and the Insurance Act 2015: Be prepared! Part 2
In Part 1 of this article, I set out an introduction to the Insurance Act 2015 (“IA”) and the fundamental changes which are coming into force in August 2016.
So it is safe to say that as a result of the IA the risk manager will be required to identify and analyse all relevant information within the organisation. He or she must make an honest appraisal of the information (in insurance parlance, “circumstances”) and then bundle it up and present it to the market (directly and/ or via the broker). The risk manager necessarily plays a central part in the exercise of working out what pieces of information will comply with the requirement to disclose “every material circumstance which the insured knows or ought to know”.
I have termed this exercise “knowledge collation”. How is the risk manager going to do that confidently and competently - both for the practical benefit to the organisation’s insurance programme (financial, primarily, in the form of the premium charged) and to ensure compliance with the IA?
Here are my top 10 tips:
The IA defines “information” and “knowledge” widely, so the risk manager will need detail: identify discipline heads and senior managers who have day-to-day project responsibility. The risk manager must be brave and interrogate. He or she should not shy away from asking difficult questions, or requesting copies of documents.
Set up a structured Enterprise Risk Management (ERM) system: identify reporting lines, expectations and responsibilities. Review it regularly to check what is and isn’t working, and whether it needs strengthening (for example, map where inadequate or poor quality information emanates from and why). Invest in regular corporate risk appraisals, preferably with an independent external, who can scrutinise objectively.
Integrate significant project information (by value, PR importance or “difficulty”) into the ERM system for the maximum view.
Dovetail all the business’s fixed dates into the ERM system: AGM, insurance renewal, quarterly investor reports etc.
Attack it from another angle: work with financial colleagues to identify “sticky” projects or issues requiring special attention. For example where significant fees have not been paid, this may be symbolic of underlying performance or delivery issues.
Work with legal colleagues who specialise in claims or disputes: they can smell problems at a distance and can swiftly get stuck in on your behalf (they probably already have….) . Remember that in the PI/E&O arena, “circumstances which could give rise to a claim” are enough to trigger the notification duty, and if you fail to do so, not only do you risk meeting a coverage defence from your insurer, but you also have information, which is material to disclose in relation to next year’s policy. If in doubt, notify on a precautionary basis.
Make friends with the broker: he/she knows the insurance market inside out and is able to guide you through the minefield of disclosure, and underwriter expectation.
Know your organisation inside out:
Start at the top: the business’s objectives and values, the locations in which it operates, the services it offers, the top brass’s (CEO, COO, CFO) appetite for acquisition, risk etc.
Then break it down to a local level: there may be individuals who resent being overseen by a remote parent.
Keep close to the UK insurer: if it decides to “contract out” of certain of the new IA default terms, which it can elect to do, the risk manager needs to be ready to engage and react, including adjusting ERM activities.
Minimise breach: given the change in status of “warranties”, breaches should be kept to a minimum, remedied swiftly and effectively, and the events recorded, because the organisation will not be covered during the period of breach, and whether the action taken constitutes an effective remedy could be a coverage point.
Why do all this? Because the underwriters who analyse whether to invest in your organisation’s insurance programme will consider both the factual data which is presented (disclosed) to the market and the ERM structure and processes, because both inform the organisation’s risk profile and therefore its attractiveness to the insurance market investors.
The IA will not make the risk manager’s job easier. But I believe it will make it more important. The risk manager needs to understand the impact of the IA and start to implement measures to address the forthcoming changes. In so doing he or she can influence the ERM system and thus improve the insurance programme. Failing to take action now will negative the organisation’s position in the market.