Risk management insights for private health insurers

Date4th July 2022

The Australian insurance industry continues to face ever-increasing regulatory demands, technological change and competitive market pressures.

Private Health Insurers (PHIs) are no exception, with ongoing affordability concerns adding to the array of challenges. So how are PHI risk managers and CROs helping to navigate these difficult conditions? Based on our work with over 20 PHI clients in the last 12 months, we have identified four of the most crucial risk areas that we believe Funds need to be thinking through and addressing via a targeted risk management response.

Cyber security

Cyber security risk is front of mind for PHIs, recognising the vulnerability of sensitive policyholder data as services and transactions move increasing online, and the threat of cyber-attacks continues to escalate. The Australian Cyber Security Centre (ACSC) recorded a 13% increase in reported cybercrimes in 2021 compared to the previous year. The risk is further compounded by increasingly complex and sophisticated tactics.

Accordingly - of all technology risks recorded by PHIs, more than 50% pertain to cyber security:

https://a.storyblok.com/f/132489/736x360/9cfa21662d/capture.PNG

A central driver of cyber security risk for PHIs is the dependency on third-party providers, especially where they hold or process sensitive health data on behalf of Funds.

A Challenge to Risk Managers:

Does your firm sufficiently assess and understand:

• The nature and extent of its cyber exposure, particularly where Information Assets are managed by third parties?

• The level of assurance obtained from those third parties on their cyber resilience?

Finity has worked closely with a range of clients to review the information security capability and maturity of outsourced providers, which remains a core component of CPS 234 compliance.

Operational risk - resource management

By category, operational risk remains the largest source of individual risks across PHI risk registers:

https://a.storyblok.com/f/132489/675x321/f16369d501/risk-management-insights-2.PNG

The prominence of operational risk for PHIs aligns with APRA’s current focus areas. In late 2022 APRA will consult on a new Prudential Standard CPS 230, capturing enhanced requirements and minimum expectations for systems, operational controls, and third-party arrangements. CPS 230 is expected to take effect in 2024.

Our view is that ‘people risk’ remains a major factor driving operational risk - that is, being able to attract, manage and retain good staff. On this last point, around 10% of all finance and insurance professionals have changed jobs in the past 12 months. Funds should identify and measure areas of key person dependency and manual process reliance in their operations, and consider strategies to mitigate the disruption and knowledge loss associated with turnover. Staff satisfaction surveys are another important way to monitor resource risk.

A Challenge to Risk Managers:

Have adequate steps been taken to evaluate that:

• The right succession arrangements are in place for key personnel, and for people risk overall?

• Your risk and compliance and risk function is appropriately resourced? The challenge in attracting and retaining risk and compliance personnel has increased across the financial services industry in recent years.

Business continuity

COVID-19 highlighted the criticality of effective business continuity management, which remains a major source of risk for PHIs - especially given the commonality of system dependencies on outsourced providers.

Under the incoming CPS 230 (mentioned above) minimum standards will apply for PHIs around business continuity management, including maintaining continuity of essential customer-facing services and third-party monitoring arrangements.

Given that PHIs are not currently subject to prudential regulation on Business Continuity (other than Pandemic Plans), this is likely to be an area of focus for the PHI sector in FY2022/23.

A Challenge to Risk Managers:

In preparing for compliance with the business continuity component of CPS 230, how ready is your Fund with respect to its:

• Specification of risk tolerance ranges for critical IT systems in the Risk Appetite Statement?

• Periodic (ideally annual) reviews of business continuity plans and systems, as well as the assessment of outsourced provider business continuity and recovery capabilities?

• Documentation of the business continuity management policy and plan?

Finity has assisted a variety of clients in conducting risk management and business continuity reviews, particularly with documentation of their business continuity arrangements.

Regulatory reforms

Regulatory and compliance risks (in terms of frequency across risk registers) make up only 14% of total risks, but represent 56% of risks with a ‘very high’ residual risk rating. As such, regulatory risk remains the source of greatest concern for risk managers.

https://a.storyblok.com/f/132489/1012x608/574c0a4f09/capture-4.PNG

Our analysis indicates that it is the uncertainty associated with future regulations, more than the risk of actual compliance breaches, that drives the risk category.

https://a.storyblok.com/f/132489/1004x434/e26be30928/capture-5.PNG
A Challenge to Risk Managers:

Does your Fund have the right systems and processes in place to manage compliance risk and coordinate change associated with regulatory reform? In particular, Funds should consider:

• How best to monitor industry and regulatory trends, and

• How to maintain a proactive approach to compliance.

An opportunity for Risk Managers

As PHIs continue to navigate the heightened risk landscape, we consider that there is an opportunity for Funds to recalibrate their risk appetite closer to actual experience. For example, as at mid-2021, the majority of key risks monitored by PHI clients were observed to be out of appetite. Moreover, despite the importance of ongoing risk monitoring and reassessment, only half the Funds have conducted a strategic risk workshop or review in the past 12-18 months.

So how does your Fund’s risk appetite measure against actual performance? While PHIs face similar market conditions, each Fund will have its own specific focus areas and challenges based on its strategy, operations, market positioning and risk appetite.

At Finity, we’d love to discuss any specific questions around your Fund’s approach to risk management, including risk appetite philosophy and approach, or opportunities to enhance your Fund’s risk management framework.

Finity’s Regulation compass provides general updates and analysis on major developments in the regulatory space.