Solvency, GRC and surviving storms at The Hartford

Major insurers, wherever they operate, are preparing for massive regulatory change during the next 18 months. While EU insurers wait patiently for a final version of guidelines for their Solvency II preparatory measures – due to be released in October 2013 – the US is carrying out its second round of pilot tests of the Own Risk and Solvency Assessment (Orsa) procedures. A total of 21 US insurers are taking part in the tests run by the US National Association of Insurance Supervisors (NAIC). The second pilot test incorporates changes made after last year's test, which led to the NAIC asking firms to include more detail on their capital models and accounting methods in their Orsa submissions. The full Orsa procedure will have to be in place by a deadline of January 1, 2015.

But experts have warned that the guidance for US firms on Orsa may be difficult to interpret in its current form. With just 11 pages in the guidance, insurers are struggling to understand exactly what is required of them. However, with the second round of pilot tests under way for the US Orsa, the industry also fears that any revised Orsa guidance could go too far in the other direction and become too prescriptive. In June 2013, the American Insurance Association (AIA) warned that the US Orsa must not turn into a "check-box" exercise, and the AIA's senior counsel, Phillip Carsen, said that the association had been "struggling" with regulators to prevent the guidance from becoming too prescriptive.

Connecticut-headquartered insurer The Hartford is not immune from these concerns. Its chief operational risk officer, Kay Rahardjo, points out that while at the moment there is flexibility in terms of how insurers conduct the Orsa, this does not excuse insurers from having to prove that their processes are adequate to a sceptical regulatory authority.

"The Orsa requires that we demonstrate to a regulator that we are aware of our material risks, that we know how to manage them and we know how to measure them. Even though they are high-level principles, there is still a fair amount of work that needs to be done to demonstrate that you have a good handle on your risks and that you truly are managing them appropriately, particularly if you're a large multi-line insurance company."

To meet the Orsa requirements, Rahardjo explains that The Hartford has put a detailed road map in place to develop a draft report sometime in 2014. The insurer has also hired an external consultant to help it achieve this. "From an overall Orsa perspective, they ask that a company reports on its major risks, which might be financial risk, operational risk, insurance risk and so on. We want to show that we have governance in place and that we have policies, procedures and the ability to measure and monitor each of our major risks. We also want to demonstrate at a high level that we know what we are doing and that we have a handle on our material risks."

Rahardjo is basing much of her approach on the US Insurers Financial Solvency Framework, an NAIC document published in 2010, which outlined seven core principles for solvency planning for US insurers. The company's risk managers are also looking at the overall measures and the capital they use, plus scenario testing and stressing of results.

A particularly important part of the solvency framework, Rahardjo says, is the approach to tail risk. "Having an adequate amount of capital to deal with tail risk is clearly a part of the Solvency assessment not only for us, but I think the Orsa," she explains. "That is contained in the broad outlines of the Orsa."

To meet the deadline, The Hartford is aiming to have an acceptable draft report ready in 2014. "We want to be able to discuss this internally as well as if we choose to talk to the regulator. We have ongoing conversations with our internal executive-level risk committee and they are fully aware of all of the work that we are doing around the Orsa and the importance of this in terms of the regulatory framework."

On top of the Orsa, US insurers are dealing with changes at the federal level. The 2010 Dodd-Frank Act includes the formation of a Federal Insurance Office within the US Treasury. Rahardjo points out, however, that as things stand, there is no firm mandate for federal regulation of insurers in the US.

"Insurance companies are not regulated at a national level like banks are, they are regulated by the individual states. We are not required to follow the Office of the Comptroller of the Currency or the Federal Reserve's regulations and guidelines. Also we are not subject to the Basel standards. Certainly we are aware and pay attention, but we are not subject to Basel."

She points out that the Federal Insurance Office does not have regulatory authority over insurers. They are able to ask for certain data from insurance companies and make certain data calls, but they don't hold any regulatory power at the moment. Rahardjo says she is not sure if they will go that way or not. "Others may have a differing opinion," she adds.

She does express concerns, however, about the future of federal oversight of the industry. "My concern with federal regulation is if it develops into additive laws," she says. "This could add more expense and more bureaucracy and more regulation on top of what we already have. I'm not sure that I see it as a real possibility – and it's just my personal opinion – but I am concerned federal regulation would be additive."

GRC

Rahardjo is also responsible for The Hartford's governance, risk and compliance (GRC) system. She explains that the company uses just one GRC platform that caters for all its needs including Sarbanes-Oxley compliance, vendor risk management, internal audit, compliance and enterprise risk management (ERM). "We've built everything into one GRC," she explains. "I think that really is an important point that helps a firm to better aggregate, manage and understand its operational risk when there is one system rather than multiple systems."

The process of getting everything on the system is not an overnight job, Rahardjo explains. The Hartford has been working with its current GRC system for three years and builds it on an ongoing basis, she says. Prior to this, The Hartford was working on different platforms, homegrown platforms and spreadsheets. Rahardjo says that removing multiple spreadsheets is one of the significant benefits of having a single effective GRC platform. She explains: "You are automating a process and when you're automating a process it allows you to look at how efficient that process is. In many cases it removes multiple spreadsheets around the firm, which is very helpful as spreadsheets should not be used for tracking security incidents, for example."

One of the key risks of trying to capture operational risk on spreadsheets, she says, is that people can abuse spreadsheets by overusing them without a common standard or set of rules, which then makes it difficult to keep up with their content. "If you are trying to keep up with new rules and regulations in several spaces, and you're doing environmental scans and capturing that in multiple spreadsheets around the company, you can't really report. And when it comes to tracking security incidents, you may have different people within the company who are tracking security incidents and each person has their own flavour of what they think is important and how they do it; this becomes impossible to aggregate. And then when people leave the company or move jobs that data can be lost."

Model risks

Rahardjo also has responsibility for model risk management within The Hartford – which, she says, is not always a simple process. "My focus has always been on developing an overall inventory of our most important models. There are probably thousands of models within the company and we have developed a process where we identify the most critical models and then ensure that those critical models have someone who is responsible for owning them. We also make sure that the models are validated to ensure that when you add two and three, you really do get five."

There are day-to-day challenges where models are concerned, Rahardjo explains, one of which is incomplete documentation. "We find that not all of our models have complete documentation, so it is a challenge to develop that; but it's a challenge that we are taking on and working through."

The model-ownership approach, like other areas of operational risk management, also suffers from key person risk – ownership-derived tacit knowledge and expertise can be lost when people change jobs, particularly if they leave The Hartford, Rahardjo explains. Improving staff retention helps reduce this risk, especially for the original developers of the model, as does documenting subject matter expertise and details of validation for all the company's critical models.

"Typically there is a relatively small group of people that develop specific models, continue to add to it and when they change jobs, the people that come and backfill behind them don't necessarily have the same understanding of the model. That is when my group comes in and wants to validate the model. Then it's a matter of finding the person who originally developed the model so that we can understand the assumptions, the data that was used and the algorithms that were used in developing the modelling techniques and characteristics."

In some cases, of course, the developers have already left the company. This makes life more complicated for Rahardjo and her team.

"In that case it's a matter of tearing things apart and gathering whatever documentation we have and putting the puzzle together. It clearly takes more time than if you had a book you could take off the shelf to understand the data, the calculations and the assumptions; it's more time consuming."

Rahardjo's responsibilities here cover two main areas: model governance and model validation. She says the validation is probably easier to understand in that it involves technical staff working through models and ensuring that they are working as intended. "It is ensuring the data that is going into the model is correct and the model is capturing all the data that it wants. We want to make sure we are receiving data from all 50 states and that we are not leaving out, for example, data from New York. We need to check if the data that is going into the model is complete and accurate, whether the calculations are correct and if the assumptions make sense and are properly documented."

In practice, trained technical people who are experts in their fields, Rahardjo explains, do this at The Hartford. They might be working on pricing models or financial models or capital models with each person in the validation area working on multiple models to validate at any given time.

Rahardjo describes how they work: "They work in teams and we have borrowed from our friends in internal audit, because when they are checking controls and financial systems they go through a rigorous process. We have modelled our model validation very much on what they do."

She says it is all about having a process that you can follow every time you carry out a validation and that if something goes wrong, being able to go back and see what step in the process went wrong and what needs to be changed. "The auditors are good at the process thing so it seems like a natural synergy," she adds.

There are problems that come with this process: for example, if a specific, highly complex model needs validating and the expertise is not available within the model risk group to carry out the independent validation. "That is a challenge," Rahardjo says. "We need to have this highly critical model validated and we find that we don't have an independent validator, we only have people in the company that have worked on this model. In a situation like that we would have to find an external consultant to help."

The governance angle is more involved than the validation process, according to Rahardjo. On top of the requirements to identify critical models from the thousands in use within the company, and the need to find a model owner for each model, there is the question of how often the model should be updated. "Should it be updated every six months or every five years?" says Rahardjo. "And what is the schedule and who is responsible for ensuring the model gets updated? What are the very critical inputs? Is it a model that depends on interest rates? If so, does it get updated on a daily basis, does it get updated on a quarterly basis? It is those sorts of things that we want to ensure from a model governance perspective."

To ensure this gets done, The Hartford uses its GRC system. "We are actually going through the process right now where we have developed what I would call the model owners for each of our critical models. Within our GRC platform they are capturing a series of about 50 different questions on each of the highly critical models and then on an ongoing annual basis that will have to be updated and worked through," Rahardjo says.

And she is clear that having a singular GRC platform is the way forward, although she sees that this is not necessarily commonplace within the industry in the US at the moment. "I meet with a group almost every quarter in New York. There are about 15 other insurance companies and we are all in operational risk. One of the things that I have come to learn is that when companies use GRC they tend to use at least two and in some cases three or four platforms. Using just one clearly puts us ahead in terms of this and I think that is a real advantage that we have. And of the people in the group, there are some that are still only thinking about adopting a GRC system. It is definitely still evolving."

The lights are on...and everyone's home

Rahardjo's other main area of concern as a head of operational risk is business continuity.

The insurer tests its disaster recovery procedures every year. A campus test is carried out to test the company's plans. However, Rahardjo points out that whenever a real event happens, there are always lessons to be learnt. As such, institutions must keep their plans up to date and be flexible and creative when things go wrong. "One example from Sandy was that our New York office was open and ready for business – the power was on and everything was fine," Rahardjo explains. "But people in New York couldn't get there. The subways weren't working, the trains weren't working and fuel wasn't available, so we had to be creative and we sent buses down to bring people to the office. We sent buses all the way from Connecticut. You have got to be really flexible in a situation like that. That is not something we had planned for."

She explains that at The Hartford employees are often able to work from home. This works well for the company from a work-life balance perspective, but there are business continuity issues that must be taken into consideration. "We've come to realise both with the winter storm we experienced here in October 2011, as well as with Superstorm Sandy in October 2013, that if you have many remote workers that don't have power in their homes, you need to be able to get them into a Hartford office where there is power. So one of the things we've been focused on is having a contingency plan of getting remote workers into a Hartford office whenever people can't work out of their homes."

The Hartford has three large campuses within the greater Hartford area – but it has recently decided to consolidate into two, putting more pressure on the insurer to get its business continuity right in the face of storms and similar threats. "It means we have less shared space, less cafeteria space, fewer conference rooms and fewer empty offices. To get remote workers in if necessary when there is a big event that leaves people without power in their homes we have to be smart about how we share space."

To do this, she says one of the first things that must be done is to decide which of the remote workers are critical – and must therefore be accommodated in the office if necessary. Then any scheduled events within the company, such as training, would have to be postponed to make space for remote workers to work in the building. Another key point for The Hartford's business continuity is ensuring all remote workers have a laptop that can be brought into the office in such an event.

Predictions that North America will see more severe storms, perhaps worse than 2012's Superstorm Sandy, trouble Rahardjo. "Sandy wasn't even a hurricane, it was a tropical storm, yet it was devastating. It caused an incredible amount of damage and forecasters say there are going to be more things like that on the East Coast. If that really is the case, I think that companies need to be very ready for their plan B. And they have to have a well-tested plan B in place, as well as a plan C. If more storms are going to happen, then companies need to be ready."

She also points out that insurance companies and banks found they had a lot in common when Sandy hit. "Sandy showed us that we both need to have good resiliency plans for when things go wrong or unexpected things happen," she says. "We both need to have technology that works and to be able to answer the phone when our customers are calling, otherwise – in our case – we can't service our policyholders."

And in the coming months and years Rahardjo expects to be watching the NAIC just as closely as the Weather Channel – she anticipates that the insurance industry will see continued interested from its regulators and rating agencies on risk issues, and expects to see GRC systems gaining a lot of momentum. "My phone rings all the time with folks that want to come and talk to me about their GRC system and how good it is. I also have colleagues in other insurance companies who know that we have a GRC system and we have frequent conversations about it. Companies adopting GRC really seems to be a fertile area at the moment."

The GRC boom is not just the result of regulatory pressure, she points out – insurers are recognising that it is the only way to achieve a coherent approach to managing the operational risks of an increasingly complex industry. "Generally there is more focus on operational risk. How else do you pull it all together if you don't have a systemic way of doing it? GRC simply allows you to have a systemic approach to managing your operational risk."