Private Health risk management insights – 2023 update

Like other financial services institutions, PHIs in 2023 face a volatile risk frontier. So how are Private Health Insurers (PHIs) responding to key industry issues, such as cyber security, operational risk, and systems uplift?

The pipeline of regulatory change also shows no signs of slowing down. The Financial Accountability Regime (FAR) has been finalised, after the legislation received Royal Assent in September 2023. APRA and ASIC (as FAR’s co-administrators) have advised that the regime will apply to insurers from 15 March 2025. Most of Finity’s PHI clients are well underway in their journey towards FAR compliance, as well as preparing for CPS 511’s updated remuneration standards and CPS 190’s recovery and exit planning requirements (each taking effect from 1 January 2024).

Based on our observations as a leading provider of actuarial and consulting services to the PHI market, we have identified four key ‘risk challenges’ for the PHI market. We share our insights on what Funds can and are doing to address these challenges.

1. Cyber and data security

Based on the most recent report from the Office of the Australian Information Commissioner (OAIC), healthcare information remains the most targeted form of data for ransomware attacks. This correlates with our observation that cyber risk is a ‘top three’ risk for most PHIs and that the investment into strengthening cyber security defences (information security resources, training and business continuity scenario analysis) has been prioritised this year. Several funds have onboarded additional risk managers and analysts with IT expertise to focus on IT control assurance and reporting. Consistent with APRA’s interim findings from CPS 234 Tripartite Reviews, uplift programs are being undertaken to improve:

1. The identification and classification of critical and sensitive information assets
    

2. Initial and ongoing assessments (including additional KRIs) of third-party provider information security capabilities, and
    

3. The documentation of risk controls and execution of control testing programs.

At the Board level, cyber risk is most commonly rated as outside-of-appetite, with a view that greater maturity is needed in the design of controls and mapping of data before the risk level can be reduced. We also observed an increase in Boards and Risk Committees undertaking simulated data breach response exercises, as an opportunity to test decision-making and business continuity response capabilities.

2. Operational risk management

Preparation for CPS 230, which will take effect from 1 July 2025 for new outsourced arrangements (and 1 July 2026 for existing outsourced arrangements), will require significant investment in resources and systems, as well as the documentation of an operational risk management framework. Funds are at different stages in their journey towards compliance with the new Prudential Standard, but most have identified that the work required presents a material resourcing risk moving forward. We have identified a number of different approaches taken to respond to CPS 230, including the establishment of working groups, project streams, and the onboarding of external consultants.

CPS 230 will also introduce business continuity policies and plans (BCPs) as a mandatory requirement for PHIs - granted Finity’s PHI clients already have well-developed and tested BCPs in place.

Beyond CPS 230, many insurers are managing multiple other projects focused on operational uplift and transformation, particularly around risk systems and IT capabilities. Accordingly, we have observed an increased use of ‘Project Risk’ as its own dedicated category within Risk Appetite Statements, and the use of Project Oversight Committees to manage competing priorities and the allocation of resources across projects.

3. Risk systems and reporting

Protecht is the most commonly used Governance, Risk and Compliance (GRC) platform across the Australian PHI market. However, given the diversity of size, scale and operational footprints across the PHI market, a small number of insurers still utilise manual processes and spreadsheets to manage their risk registers and processes. We expect this number to reduce as regulatory requirements increase in terms of reporting obligations and complexity. Within existing systems, we have observed more insurers taking steps to increase linkages between system modules, including mapping obligations against controls to gain a more ‘real-time’ view of compliance risk. Better practice we have observed incorporates the mapping of audit findings against impacted controls, for the purposes of reporting and addressing identified gaps.

PHIs are also moving more towards automated reporting, in some cases using software like Tableau to achieve a dynamic view of KRIs and control test findings. Other insurers have identified that more selectivity is needed in Board and Risk Committee reporting, reducing down the volume of risk metrics and categories to ensure engagement with executive decision makers.

4. First-line engagement

Finally, a common area of feedback from our PHI clients is the ‘evergreen’ challenge of engaging with front-line staff (i.e. the First-Line in the 3 Lines of Defence risk governance model) on their risk and compliance responsibilities. Systems accessibility and ease-of-use is recognised as a key determinant in achieving the desired rate of incident reporting and controls testing, but was commonly expressed as a point of dissatisfaction in risk culture surveys. Widespread systems-uptake is seen as a vital way of building risk ownership and ‘buy-in’ to risk management principles, with one client even employing an additional First-Line risk employee to focus on increasing systems awareness and use. Other practices to promote engagement include the use of training, targeted risk profile discussions, and the integration of risk KPIs in employee performance plans.