A Transformation in Progress – Perspectives and approaches to IFRS 17

The International Financial Reporting Standard 17 (IFRS 17) was issued in May 2017 by the International Accounting Standards Board (IASB) and has an effective date of 1st January 2021. The standard represents the most significant change in financial reporting for decades, placing greater demand on legacy accounting and actuarial systems. The regulation is intended to increase transparency and provide greater comparability of profitability across the insurance sector.

IFRS 17 will fundamentally change the face of profit and loss reporting. It will introduce a new set of Key Performance Indicators (KPIs), and change the way that base dividend or gross payments are calculated. To give an example, gross premiums will no longer be recorded under profit and loss. This is just one of the wide-ranging shifts that insurers must take on board in the way they structure their business to achieve the best possible commercial outcomes.

In early 2018 SAS asked 100 executives working in the insurance industry to share their opinions about the standard and strategies for compliance. The research shed light on the sector’s sentiment towards the regulation, challenges and opportunities that IFRS 17 presents, along with the steps organisations are taking to achieve compliance. The aims of the study were to better understand the views of the industry and how insurers are preparing to implement the standard. The objective was to share an unbiased view of the peer group’s analysis of, and approach to, tackling the challenges during the adjustment period. The information garnered is intended to help inform insurers’ decision-making during the early stages of their own projects, helping them arrive at the best-placed strategy for their business.

This report reveals the findings of the survey and provides guidance on how organisations might best achieve compliance. It provides a subjective, datadriven view of IFRS 17 along with valuable market context for insurance professionals who are developing their own strategies for tackling the new standard.

SAS’ research indicates that UK insurers do not underestimate the cost of IFRS 17 or the level of change it will likely introduce. Overall, 97 per cent of survey respondents said that they expected the standard to increase the cost and complexity of operating in insurance.

Companies will need to

  • introduce a new system of KPIs
  • and make changes in management information reports

to monitor performance under the revised profitability metrics. Forward looking strategic planning will also need to incorporate potential volatility and any ramifications within the insurance industry. To achieve this, firms will need to ensure the main parties involved co-operate and work together in a more integrated way.

The cost of these measures will, of course, differ considerably between organisations of different sizes, specialisms and complexities. However, the cost of compliance also greatly depends on

  • the approach taken by decision-makers,
  • the partners they choose
  • and the solutions they select.

Perhaps more instructive is that 90 per cent believe compliance costs will be greater than those demanded by the Solvency II Directive, aimed at insurers retaining strong financial buffers so they can meet claims from policyholders.

The European Commission estimated that it cost EU insurers between £3 and £4 billion to implement Solvency II, which was designed to standardise what had been a piecemeal approach to insurance regulations across the EU. Almost half (48 per cent) predict that IFRS 17 will cost substantially more.

Respondents are preparing for major alterations to their current accounting and actuarial systems, from minor upgrades all the way to wholesale replacements. Data management systems will be the prime target for review, with 84 per cent of respondents planning to either make additional investment (25 per cent), upgrade (34 per cent), or replace them (25 per cent). Finance, accounting and actuarial systems will also see significant innovation, as 83 per cent and 81 per cent respectively prepare for significant investment.

The use of analytics appears to be the most divisive area for insurers. While 27 per cent of participants are confident they will need to make no changes to their analytics systems or processes, 28 per cent plan to replace them entirely. A majority of 71 per cent still expect to make at least some reform.

IFRS17

IFRS17 2

Click here to access SAS’ Whitepaper

 

The IFRS 9 Impairment Model and its Interaction with the Basel Framework

In the wake of the 2008 financial crisis, the International Accounting Standards Board (IASB) in cooperation with the Financial Accounting Standards Board (FASB) launched a project to address the weaknesses of both International Accounting Standard (IAS) 39 and the US generally accepted accounting principles (GAAP), which had been the international standards for determining financial assets and liabilities accounting in financial statements since 2001.

By July 2014, the IASB finalized and published its new International Financial Reporting Standard (IFRS) 9 methodology, to be implemented by January 1, 2018 (with the standard available for early adoption). IFRS 9 will cover financial organizations across Europe, the Middle East, Asia, Africa, Oceana, and the Americas (excluding the US). For financial assets that fall within the scope of the IFRS 9 impairment approach, the impairment accounting expresses a financial asset’s expected credit loss as the projected present value of the estimated cash shortfalls over the expected life of the asset. Expected losses may be considered on either a 12-month or lifetime basis, depending on the level of credit risk associated with the asset, and should be reassessed at each reporting date. The projected value is then recognized in the profit and loss (P&L) statement.

Most banks subject to IFRS 9 are also subject to Basel III Accord capital requirements and, to calculate credit risk-weighted assets, use either standardized or internal ratings-based approaches. The new IFRS 9 provisions will impact the P&L that in turn needs to be reflected in the calculation for impairment provisions for regulatory capital. The infrastructure to calculate and report on expected loss drivers of capital adequacy is already in place. The data, models, and processes used today in the Basel framework can in some instances be used for IFRS 9 provision modeling, albeit with significant adjustments. Not surprisingly, a Moody’s Analytics survey conducted with 28 banks found that more than 40% of respondents planned to integrate IFRS 9 requirements into their Basel infrastructure.

Arguably the biggest change brought by IFRS 9 is incorporation of credit risk data into an accounting and therefore financial reporting process. Essentially, a new kind of interaction between finance and risk functions at the organization level is needed, and these functions will in turn impact data management processes. The implementation of the IFRS 9 impairment model challenges the way risk and finance data analytics are defined, used, and governed throughout an institution. IFRS 9 is not the only driver of this change.

Basel Committee recommendations, European Banking Authority (EBA) guidelines and consultation papers, and specific supervisory exercises, such as stress testing and Internal Capital Adequacy Assessment Process (ICAAP), are forcing firms to consider a more data-driven and forward-looking approach in risk management and financial reporting.

Accounting and Risk Management: An Organization and Cultural Perspective

The implementation of IFRS 9 processes that touch on both finance and risk functions creates the need to take into account differences in culture, as well as often different understandings of the concept of loss in the two functions.

  • The finance function is focused on product (i.e., internal reporting based on internal data) and is driven by accounting standards.
  • The risk function, however, is focused on the counterparty (i.e., probability of default) and is driven by a different set of regulations and guidelines.

This difference in focus leads the two functions to adopt these differing approaches when dealing with impairment:

  • The risk function uses a stochastic approach to model losses, and a database to store data and run the calculations.
  • Finance uses arithmetical operations to report the expected/ incurred losses on the P&L, and uses decentralized data to populate reporting templates.

In other words, finance is driven by economics, and risk by statistical analysis. Thus, the concept of loss differs between teams or groups: A finance team views it as part of a process and analyzes loss in isolation from other variables, while the risk team sees loss as absolute and objectively observable with an aggregated view.

IFRS 9 requires a cross-functional approach, highlighting the need to reconcile risk and finance methodologies.

The data from finance in combination with the credit risk models from risk should drive the process.

  • The risk function runs the impairment calculation, whilst providing objective, independent, and challenger views (risk has no P&L or bonus-driven incentive) to the business assumptions.
  • Finance supports the process by providing data and qualitative overlay.

Credit Risk Modeling and IFRS 9 Impairment Model

Considering concurrent requirements across a range of regulatory guidelines, such as stress testing, and reporting requirements, such as common reporting (COREP) and financial reporting (FINREP), the challenge around the IFRS 9 impairment model is two-fold:

  • Models: How to harness the current Basel-prescribed credit risk models to make them compliant with the IFRS 9 impairment model.
  • Data: How (and whether) the data captured for Basel capital calculation can be used to model expected credit losses under IFRS 9.

IFRS9 Basel3

Click here to access Moody’s detailed report

Mastering Risk with “Data-Driven GRC”

Where are organizations heading ?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Functional Stakeholders of GRC Processes and Technology

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. It distinguishes and describes three role- and responsibility-driven functions :

  • Those that own and manage risks (management – the “first line”)
  • Those that oversee risks (risk, compliance, financial controls, IT – the “second line”)
  • Those functions that provide independent assurance over risks (internal audit – the “third line”)

The overarching context of these three lines acknowledges the broader role of organizational governance and governing bodies.

Technology Deficiencies in the Three Lines of Defense

Since the emergence of Sarbanes-Oxley, the use of technology in risk and control related processes has truly started to take meaningful shape in many organizations. However, when looking across the risk and control oriented functions in most organizations, technology is still typically used on a departmental or point solution basis.

Third Line (internal audit) use of risk & control technology

For the past decade, surveys of internal auditors have consistently identified the more effective use of technology as among the most pressing issues facing the profession. Specifically, the responses to the surveys also referred to the need for increased use of technology for audit analysis, fraud detection, and continuous auditing. Other surveys also highlight a shortage of sufficient technology and data analysis skills within audit departments.

Much of the driving force for improving the use of technology is based on the desire to make the audit process itself more efficient and more effective, as well as to deliver more tangible value to the rest of the organization.

During the past decade, the role of the internal audit function itself has changed considerably. Internal audit’s traditional focus on cyclical audits and testing internal controls is evolving into one in which internal audit is expected to assess and report on the effectiveness of management’s processes to address risk overall. This often includes providing guidance and consultation to the business on best practices for managing risk and compliance within business process areas and maintaining effective control systems. The use of technology is an increasingly critical component of these best practices and in some cases internal audit is able to champion the implementation of high-impact, high-value technology within the business’s risk management and compliance processes, based on their own experience in using technology for assurance purposes.

There is considerable variation in the extent to which internal audit departments leverage technology. However it is certainly fair to say that for audit to be truly valuable and relevant within the context of organizational strategy, a significant improvement is required across the board. Internal audit as a profession simply is not moving forward at the pace of technology.

Some specific statistics from recent research reveals:

  • Only approximately 40% of internal audit departments use audit and documentation management systems from specialized vendors. The remainder use disorganized tools and processes, typically based on Microsoft Office® & shared folders.
  • Audit programs for specific business process areas and industries are usually developed through a combination of previously used programs and those shared on various audit-related websites. This approach does not address organization-specific risk.
  • Next generation testing techniques, especially data analytics, are overwhelmingly underutilized.

Second Line (risk, compliance, financial controls, IT) use of risk & control technology

Outside of audit, in other areas of risk and compliance, some organizations have acquired specialized departmental software, but the majority use only basic Office tools to maintain inventories of risks, document controls and perform risk assessments. In larger enterprises, it is not unusual to have a variety of different technologies and approaches applied in different operational entities or in different functional areas. This approach is usually more costly and less effective than one based on a common platform. Effective testing methods using technology are usually unavailable or left unconsidered.

In fact, second line of defense functions often rely heavily on inquiry-based methods such as surveying, which are proven ineffective at identifying the actual manifestations of risk in the organization. If analytical software is used in the business for investigations or monitoring transactions, it in many cases involves standard query tools or some form of generic business intelligence (BI) technology. Although good for providing summary level information or high-level trends, BI tools struggle to show the root cause of problems. And while they may have certain capabilities to prevent fraud and errors from occurring, or to flag exceptions, they are not sufficient to effectively trap the typical problem transactions that occur.

First Line (management) use of risk & control technology

While in some cases, first line management have access to better technology for use on specific pain point areas (e.g., continuous transaction monitoring technology used within finance departments), there is a common tendency for management to place far too much reliance on core business systems for effective control. While the large ERP and other system vendors seem to have extensive capabilities for preventing control deficiencies, the reality is that these are extremely extensive and complex systems and internal controls are usually the afterthought of those implementing them, not a core focus. For example, in many cases certain control settings are turned off to enable the ERP system to run more efficiently.

An integrated and collaborative approach to managing risks and monitoring controls in collaboration with the second and third lines of defense, using a common, independent methodology and technology platform, typically proves the most effective in accomplishing management’s key risk mitigation strategies.

DD GRC

 

Click here to access ACL’s White Paper

By investing heavily in start-ups and technology, (re)insurance companies appear to have assumed a semblance of control over the InsurTech revolution

Who Benefits from Modularization?

With technology moving forward at an unprecedented pace, incumbents are increasingly electing to outsource functions to highly specialized new entrants, renting evolving modules of technology that can be tailored to suit their individual needs. Though this approach may be more cost effective, it further fuels the question of whether incumbents will allow value in the industry to shift towards new entrants. In time, market participants will come to understand which module in the chain generates the most value. It is plausible that automation in distribution will shift value towards efficiency of internal processes that support cutting-edge modeling and underwriting engines.

InsT0

The State of InsurTech

InsurTech funding volume increased 36% year-over-year in 2017, demonstrating that technology driven innovation remains a core focus area for (re)insurance companies and investors heading into 2018. However, perhaps contrary to many of the opinions championed in editorial and press coverage of the InsurTech sector, further analysis of the growing number of start-ups successfully attracting capital from (re)insurers and financial investors reveals that the majority of InsurTech ventures are not focused on exiling incumbents by disrupting the pressured insurance value chain. According to research from McKinsey & Company,

  • 61% of InsurTech companies aim to enable the value chain,
  • 30% are attempting to disintermediate incumbents from customers
  • 9% are targeting full scale value chain disruption.

Has the hype surrounding InsurTech fostered unjustified fear from overly defensive incumbents?

We have taken this analysis a step further by tracking funding volume from strategic (re)insurers versus financial investors for InsurTechs focused on enabling the value chain relative to their counterparts attempting to disintermediate customers from incumbents or disrupt the value chain altogether and found that 65% of strategic (re)insurer InsurTech investments have been concentrated in companies enabling the value chain, with only 35% of incumbent investments going to start-ups with more disruptive business models. What does it mean? While recognizing the subjective nature of surmising an early stage company’s ultimate industry application at maturity from its initial focus, we attribute this phenomenon to the tendency of incumbents to, consciously or subconsciously, encourage development of less perceptibly threatening innovation while avoiding more radical, potentially intimidating technologies and applications.

Recognizing that this behavior may allow incumbents to preserve a palatable status quo, it should be considered in the context in which individual investments are evaluated – on the basis of expected benefits relative to potential risk. We have listed several benefits that InsurTechs offer to incumbents :

InsT1

Segmenting the InsurTech Universe

As InsurTech start-ups continue to emerge across the various components of the insurance value chain and business lines, incumbents and investors are evaluating opportunities to deploy these applications in the insurance industry today and in the future. To simplify the process of identifying useful and potentially transformational technologies and applications, we have endeavored to segment the increasingly broad universe of InsurTech companies by their core function into four categories:

  1. Product & Distribution
  2. Business Process Enhancement
  3. Data & Analytics
  4. Claims Management

This exercise is complicated by the tendency of companies to operate across multiple functions, so significant professional judgment was used in determining the assignment for each company. A summary of the criteria used to determine placement is listed below. On the following pages, we have included market maps to provide a high level perspective of the number of players in each category, as well as a competitive assessment of each subsector and our expectations for each market going forward. Selected companies in each category, ranked by the amount of funding they have raised to date, are listed, followed by more detailed overviews and Q&A with selected representative companies from each subsector.

InsT2

Click here to access WTW’s detailed birefing

Insurance Data Integrated Platform

The insurance industry today is poised for a paradigm shift in the way that technology is deployed to provide products and services to customers. This has primarily been driven by changing business needs and the innovations brought about by myriad insuretech firms, leading to an inevitable shift towards adopting the new digital innovations.

Analysts have forecast significant investments geared towards the digitalization of the industry and expect such investments to continue pouring in for several years. It is also expected that an increasing number of new insurance companies will be driven by technology companies to bring better products, services, and customer service in the insurance industry.

A forward-looking plan of action, sufficient operational flexibility, an effective implementation strategy, and a willingness to adopt digital disruptions in every aspect of their organization – those insurers that have all of the above can position themselves to leverage the impending digital disruptions to propel their organization to the very forefront of the industry.

DEALING WITH THE DIGITALIZATION OF THE INSURANCE INDUSTRY

These adopters of digital technology will have a clear upper hand against their competition. Suitably equipped to cut costs and design more attractive offerings, the digital insurance carriers are sure to acquire a whole new set of customers, thus increasing market share. Those who fail to quickly adopt the new technologies, on the other hand, will struggle to maintain their competitive positions in the midst of a customer-centric, price-sensitive market.

Data has always been at the center of the insurance industry, and despite the changes that are to come, data will continue to be the focal point of the industry. In fact, it’s set to play a bigger role to play than ever before.

The continued criticality of data in the insurance landscape is ensured by carriers’ need for information-driven strategies in the digitalized business scenario. They’ll have to leverage data as an asset, enabling automated decision-making in critical business processes, in order to thrive. This, in turn, is why a digital business technology platform – one that incorporates information management and analytical capabilities – will become a necessity in the future.

Without a system in place to support the analytics and reporting needs of the business, decision-makers may be left with no choice but to rely on conventional time-consuming manual processes those are more qualitative rather than quantitative in nature. This is bound to cause serious repercussions for the organization, ultimately resulting in missed opportunities and loss of competitiveness.

According to a Gartner study, the two following technology platforms are essential for any digital business:

  1. Data and analytics platform – This platform should consist of data management programs and analytics applications to enable data-driven decision making
  2. Ecosystems platform – This platform’s role should be to support the creation of and connection to external ecosystems, marketplaces, and communities

MFX

 

Click here to access MFX’s detailed White Paper

 

The General Data Protection Regulation (GDPR) Primer – What The Insurance Industry Needs To Know, And How To Overcome Cyber Risk Liability As A Result.

SCOPE

The regulation applies if the

  • data controller (organization that collects data from EU residents)
  • or processor (organization that processes data on behalf of data controller e.g. cloud service providers)
  • or the data subject (person)

is based in the EU. Furthermore, the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. Per the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from

  • a name,
  • a home address,
  • a photo,
  • an email address,
  • bank details,
  • posts on social networking websites,
  • medical information,
  • or a computer’s IP address.”

The regulation does not apply to the processing of personal data for national security activities or law enforcement; however, the data protection reform package includes a separate Data Protection Directive for the police and criminal justice sector that provides robust rules on personal data exchanges at national, European and international level.

SINGLE SET OF RULES AND ONE-STOP SHOP

A single set of rules will apply to all EU member states. Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative breaches, etc. SA’s in each member state will cooperate with other SA’s, providing mutual assistance and organizing joint operations. Where a business has multiple establishments in the EU, it will have a single SA as its “lead authority”, based on the location of its “main establishment” (i.e., the place where the main processing activities take place). The lead authority will act as a “one-stop shop” to supervise all the processing activities of that business throughout the EU. A European Data Protection Board (EDPB) will coordinate the SAs.

There are exceptions for data processed in an employment context and data processed security, that still might be subject to individual country regulations.

RESPONSIBILITY AND ACCOUNTABILITY

The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer must be provided.

Automated individual decision-making, including profiling (Article 22) is made disputable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely computer generated basis.

To be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Privacy by Design and by Default require that data protection measures are designed into the development of business processes for products and services. Such measures include pseudonymizing personal data, by the controller, as soon as possible.

It is the responsibility and liability of the data controller to implement effective measures and can demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.

Data Protection Impact Assessments must be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and prior approval of the Data Protection Authorities (DPA) is required for high risks. Data Protection Officers (DPO) are to ensure compliance within organizations.

DPO must be appointed:

  • for all public authorities, except for courts acting in their judicial capacity
  • if the core activities of the controller or the processor consist of
  • by their nature, their scope and/or their purposes, require regular and systematic
    monitoring of data subjects on a large scale
  • processing on a large scale of special categories of data pursuant to Article 9 and
    personal data relating to criminal convictions and offences referred to in Article 10
    processing operations which, for the purposes of national

GDPR in a Box

 

Click here to access Clarium’s detailed paper

Mastering Risk with “Data-Driven GRC”

Overview

The world is changing. The emerging risk landscape in almost every industry vertical has changed. Effective methodologies for managing risk have changed (whatever your perspective:

  • internal audit,
  • external audit/consulting,
  • compliance,
  • enterprise risk management,

or otherwise).

Finally, technology itself has changed, and technology consumers expect to realize more value, from technology that is more approachable, at lower cost.

How are these factors driving change in organizations?:

Emerging Risk Landscapes

Risk has the attention of top executives. Risk shifts quickly in an economy where “speed of change” is the true currency of business, and it emerges in entirely new forms in a world where globalization and automation are forcing shifts in the core values and initiatives of global enterprises.

Evolving Governance, Risk, and Compliance Methodologies

Across risk and control oriented functions spanning a variety of

  • audit functions,
  • fraud,
  • compliance,
  • quality management,
  • enterprise risk management,
  • financial control,

and many more, global organizations are acknowledging a need to provide more risk coverage at lower cost (measured in both time and currency), which is driving reinventions of methodology and automation.

Empowerment Through Technology

Gartner, the leading analyst firm in the enterprise IT space, is very clear that the convergence of four forces,

  • Cloud,
  • Mobile,
  • Data,
  • and Social

is driving the empowerment of individuals as they interact with each other and their information through well-designed technology. In most organizations, there is no coordinated effort to leverage organizational changes emerging from these three factors in order to develop an integrated approach to mastering risk management. The emerging opportunity is to leverage the change that is occurring, to develop new programs; not just for technology, of course, but also for the critical people, methodology, and process issues. The goal is to provide senior management with a comprehensive and dynamic view of the effectiveness of how an organization is managing risk and embracing change, set in the context of overall strategic and operational objectives.

Where are organizations heading?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance. This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Data Driven GRC

Click here to access ACL’s detailed White Paper