Risk and compliance are generally overlooked topics to talk about, but essential in the business world. Given that companies are continuously pressured to produce profits for investors and shareholders, sometimes they go to great lengths for this as demonstrated by notorious cases like Enron, WorldCom and Lehman Brothers.
The external auditor’s role demands the most independent representation of the risk and compliance process as the last line of defense of a company after the first two pillars: day to day staff operations and internal enterprise risk management system.
Due to this independence, there is a natural unease since they are playing an autonomous role on providing opinions on the fair presentation of financial statements, along with perhaps the internal controls of the first two pillars. There is a risk that the financial information provided may include potential biases, complexity of transactions and subsequently severe consequences to stakeholders like investors or reporting/government/tax agency supervisors.
Specifically, insurance is a multi-faceted business where insurers assume and pool risks in return for premiums while assessing the risks inherent within the assets and liabilities to establish capital adequacy and technical provisions including but not limited to: mortality, morbidity, claims frequency/severity, interest rates, financial instruments, governance principles and risk methodologies.
Taking the Driver’s Seat
To put it in perspective, let’s take the actuary’s role where they may be designing, implementing and testing insurance products, and place them in the driver’s seat of a car. In many ways, this car is conceptually navigated forward by looking at the rear-view mirror from historical data and experience studies (Side note: Meteorologists have the same dilemma forecasting the weather for the next month or so while actuaries are looking to forecast the next 30+ years!).
The actuary needs to navigate this car with parts like the engine and transmission developed and maintained by different staff departments like IT. Risk management is responsible for safety features like breaks, seat belts and airbags. The actuary probably has better technology like a smartphone which can be used for analytics to help navigate the vehicle, but needs to be used wisely or they may risk crashing the car if using incorrectly while driving.
An overseeing regulatory committee is responsible for the car’s practical design, emissions testing and safety features driven (pun intended) to ensure the safety for fellow motorists and public. The overall functioning of the car parts is validated by an internal audit team to help achieve these objectives. There are a lot of moving parts here that the actuary needs to handle to best do their job.
If and when the pedal hits the medal, there could be a case where the airbags are not functioning properly or emitting higher levels of pollution under real world driving conditions. This is where the external auditor creates the added value of checking up on all these things before it hits the road.
Navigating Forward
Auditors and actuaries occupy special positions of influence over insurance companies and have wider responsibilities to the public along with policyholders, which make it particularly important that they possess the skills, qualifications and experience necessary to discharge their responsibilities and that they adhere to high standards of professional competence, conduct, and integrity. It is important that both individual actuaries and external auditors keep their professional knowledge up to date.
While auditors and actuaries can exert considerable influence over the affairs of insurance companies, they may themselves come under considerable pressure from companies where their work leads to the identification of issues that may adversely affect the value of future operations. They need to have the self-confidence and strength of character to withstand such pressure and to take appropriate action, which may, in extreme cases, require them to qualify the company’s accounts or to “whistle blow” to the supervisor. While such self-confidence and strength of character are often difficult to assess in advance, they may be lacking in those who are only recently qualified or who lack experience.
What is sometimes lost in this shuffle is that external auditors are not trying to play ‘gotcha’, it’s more they are helping to solve problems that otherwise may be too big to solve, as everyone is essentially in this together in today’s complex world. With the kind of reputational risk that hampers all organizations, it is a better setting to work on this together through all pillars of the risk and compliance process.