Risk Management for private health · PDF file6 2. Risk management and private health...

1 1. Submissions and Enquiries | PHIAC

Disclaimer

This is a discussion paper whose purpose is to stimulate discussion, debate and feedback to the Private Health Insurance

Administration Council. The Private Health Insurance Administration Council disclaims any liability for any loss or damage

arising out of any use of this paper. The Private Health Insurance Administration Council encourages private health

insurers to seek independent advice and to exercise care in relation to any material contained in this paper.

Consultation

Paper

RISK MANAGEMENT

FOR PRIVATE

HEALTH INSURERS January 2013


1. Submissions and Enquiries

The Private Health Insurance Administration Council (PHIAC) invites submission on the contents and

the potential regulatory impact of this discussion paper. Submissions and enquiries may be directed

to:

General Manager, Industry Operations

Private Health Insurance Administration Council

PO Box 4549

KINGSTON 2604

(02) 6215 7900

@ [email protected]

www.phiac.gov.au

Important

Submissions should be in writing provided to PHIAC by Friday, 15 March 2013.

Submissions may also be the subject of a request for access made under the Freedom of Information

Act 1982 (FOI Act). PHIAC will determine such requests, if any, in accordance with the provisions of

the FOI Act.

Accessing this paper online

This report, together with further information about PHIAC and the private health insurance industry

can be accessed from PHIAC’s website www.phiac.gov.au.

Use of this Paper

While PHIAC endeavours to ensure the quality of this publication, it does not accept any responsibility

for the accuracy, completeness or currency of the material included in this publication and will not be

liable for any loss or damage arising out of any use of, or reliance on, this publication.

This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence,

with the exception of the Commonwealth Coat of Arms, photographs, images, signatures and where

otherwise stated. The full licence terms are available from

http://creativecommons.org/licenses/by/3.0/au/legalcode.

mailto:[email protected]

http://www.phiac.gov.au/

http://creativecommons.org/licenses/by/3.0/au/deed.en

http://creativecommons.org/licenses/by/3.0/au/legalcode


Use of PHIAC material under a Creative Commons Attribution 3.0 Australia licence requires you to

attribute the work (but not in a way that suggests that the PHIAC endorses you or your use of the

work).

PHIAC material used ‘as supplied’

Provided you have not modified or transformed PHIAC material in any way including, for example, by

changing the text; calculating percentage changes; graphing or charting data; or deriving new

statistics from published PHIAC statistics — then the PHIAC prefers the following attribution:

Source: Private Health Insurance Administration Council

Derivative material

If you have modified or transformed PHIAC material, or derived new material from those of PHIAC in

any way, then PHIAC prefers the following attribution:

Based on Private Health Insurance Administration Council data

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are set out on the It’s an Honour website (see

www.itsanhonour.gov.au)

Disclaimer

The purpose of this discussion paper is to stimulate discussion, debate and feedback to the PHIAC. It

is not a position paper and the information canvassed in it does not constitute recommendations or

legal advice. While PHIAC endeavours to ensure the quality of this paper, it does not accept any

responsibility for the accuracy, completeness or currency of the material included in this paper, and

will not be liable for any loss arising out of any use of, or reliance on, this paper. PHIAC encourages

private health insurers to seek independent advice and to exercise care in relation to any material

contained in this paper.

http://creativecommons.org/licenses/by/3.0/au/deed.en

http://www.itsanhonour.gov.au/


Table of Contents

1. Submissions and Enquiries ................................................................................................................. 2

2. Risk management and private health insurance ................................................................................. 5

3. Regulatory context .............................................................................................................................. 8

4. Approaches to risk management – the current picture ..................................................................... 10

5. Reference points for the current review ............................................................................................ 13

6. Options to improve risk management ............................................................................................... 15

Option 1: Retain status quo: no additional requirements regarding risk management

arrangements ................................ ................................ .............................................. 15

Option 2: Non-binding risk management guidance material .............................................. 15

Option 3: Development of a Prudential Standard to require all insurers to adopt effective risk

management practices................................. ................................ ................................ . 16

7. Possible elements of risk management guidance or a prudential standard ..................................... 18

8. Assessment of options ...................................................................................................................... 24

9. Invitation to Comment ....................................................................................................................... 25

10. Next steps ....................................................................................................................................... 26

11. Abbreviations used in this paper ..................................................................................................... 27

12. Relevant legislative extracts ........................................................................................................... 28

5 2. Risk management and private health insurance | PHIAC

2. Risk management and private

health insurance

The private health insurance industry is an enduringly important component of the Australian health

system. For over one hundred years it has provided peace of mind through financial support and

protection to policy holders and their families when they access health care in Australia.

Broad community support for private health insurance (PHI) is borne out by the fact that more than

50% of Australians (in excess of 12.3 million people) currently having some form of health insurance.

Recent years have seen the industry move in new directions with more targeted industry advertising,

service provision to assist in the management chronic diseases, increased reliance on brokers and

the establishment of the government website privatehealth.gov.au. The result has been a wider

range of products addressing a more sophisticated array of consumer needs.

While these developments have generally been seen as a positive contribution to the private health

insurance offering the corollary has been increasing complexity in a product area that is already

viewed by many as challenging – market research indicates that around half of Australian health

decision makers without PHI admitted that they just don’t think about it because it’s too confusing ,1

while close to 8 in 10 people believe that private health insurance urgently needs to be simplified

(IPSOS: 182). The future of PHI in Australia seems set to present further challenges as consumers

grapple with ever-increasing choices in a broadening and evolving product set with associated

informational, commercial, and risk issues.

The Private Health Insurance Administration Council (PHIAC) plays an important role in ensuring the

industry remains competitive, efficient and financially sound. We achieve this through an ongoing

program of fund reviews, the collection and dissemination of industry statistics, and the provision of

advice to government, other regulators and consumers on the state of the industry.

PHIAC also plays an important role in ensuring that consumers of PHI are protected. Primarily this is

achieved by ensuring the financial soundness of the industry, and through provision of key information

1 IPSOS, Health Care & Insurance Australia, 2011 report, p. 411.

http://www.privatehealth.gov.au/


to assist consumers to make well informed decisions about private health insurance for themselves

and their families.

These responsibilities are made explicit in the Private Health Insurance Act 2007 (PHI Act) which

states that PHIAC should take all reasonable steps to strike an “appropriate balance” between three

sometimes competing objectives, namely:

fostering an efficient and competitive health insurance industry;

protecting the interests of consumers; and

ensuring the prudential safety of individual private health insurers.

It is within this context that PHIAC has been reviewing the effectiveness of the risk management

practices being used across the Australian private health insurance industry, and discussing potential

strategies for strengthening these practices directly with individual insurers. PHIAC’s ongoing program

of fund reviews continues to highlight variability in the effectiveness of risk management in the

industry. This raises a prudential concern which PHIAC must, in the proper discharge of its role,

address.

This paper has been prepared to generate discussion within the industry about the adequacy of

existing risk management practices, to raise awareness of PHIAC’s expectations in relation to risk

management, and to discuss options to enhance risk management practices across the industry.

The paper develops the range of risk management concepts canvassed with the industry at the

PHIAC seminars held across Australia in July and August 2012. In particular, this paper seeks to

advance that discussion by proposing three approaches or options for improving the effectiveness of

risk management within private health insurers. Accordingly, the options for discussion are:

Option 1: Retain the status quo - no changes to existing arrangements.

Option 2: Promulgation of non-binding, quasi-regulatory risk management guidance materials

for the industry.

Option 3: Development of a Risk Management Prudential Standard to require all insurers to

adopt effective risk management practices.

PHIAC welcomes feedback on the discussion paper by the industry, consumers and other interested

stakeholders. To assist PHIAC’s ongoing analysis of the issue, submissions should evaluate the

relative merits of each option, and, where practicable, analysis of the potential compliance costs of

each proposal.


Receipt of such contributions will ensure that PHIAC can develop its consideration of this issue with

the benefit of feedback which is well-informed, and which improves its capacity to ensure that policy

holders are protected without unduly burdening the industry.

This paper marks the beginning of at least two rounds of industry consultation. Depending on the level

of feedback received, it is envisaged that a second consultation round will occur in mid-2013. The

second paper will provide feedback on the options canvassed in the first paper and if necessary,

additional information to support the consultation process. Comment on this first discussion paper

must be received by PHIAC on or before COB Friday 15 March 2013.

8 3. Regulatory context | PHIAC

3. Regulatory context

PHIAC engages with the industry primarily through a rolling program of fund reviews and desk top

reviews, a quarterly review of key industry statistics, regular face-to-face meetings, workshops and

electronic communications. This ensures PHIAC has an up-to-date and sound understanding of each

insurer’s operations, and a strong evidence base for any regulatory activity. The industry benefits from

these exchanges in being kept updated in relation to key changes in the sector, and by having access

to PHIAC’s independent risk analysis methodologies to assist in identifying and resolving potential

weaknesses in an their operations.

PHIAC exercises a decision-making role in a range of industry transactions, including applications for

registration, conversions to for-profit, mergers and acquisitions. In applying to PHIAC for appraisal

and / or approval of these and other proposed transactions, the applicant must be able to

demonstrate a sound business case, an ability to comply with all legislative requirements and that,

during the transaction, policy holder interests will be protected.

Divisions 140 and 143 of the PHI Act describe PHIAC’s responsibility to develop financial standards

for the industry, the Solvency and Capital Adequacy Standards (Capital Standards). The Capital

Standards require insurers to retain sufficient capital to ensure their health benefits fund(s) remain

solvent and holding sufficient capital to meet their liabilities. Monitoring compliance of the Capital

Standards is a significant part of PHIAC’s day-to-day oversight, as ongoing compliance minimises the

potential for insurer collapse.

PHIAC is also empowered under Division 163 of the PHI Act to set binding rules in a broad range of

areas to ensure that an insurers conduct their affairs with integrity, prudence and professional skill.

Since 2007, PHIAC has exercised its powers in this area by making four Prudential Standards dealing

with the topics of Appointed Actuaries (2007); Governance (2009); Disclosure (2011) and Outsourcing

(2012). PHIAC sees the design and establishment of targeted industry standards as a key control in

the proactive oversight of the industry’s affairs.

The PHI Act also explicitly sanctions PHIAC acting on a preventative basis in a range of situations.

This acknowledges the principle that it is always better that an issue be addressed early and

proactively before it has developed the capacity to impact on policy holders and damage not only the

reputation of the relevant insurers, but also, potentially, the wider industry.

9 3. Regulatory context | PHIAC

Whilst PHIAC’s preference is to resolve issues collaboratively, where PHIAC has concerns about the

long term financial position of an insurer, or has reason to believe that the affairs of an insurer are

being, or are about to be carried on in a way that is not in the interests of policy holders, it can pursue

a range of enforcement actions, including the issuing of notices and / or directions; the

commencement of investigations; request for undertakings; the appointment of external managers; or

Federal Court intervention.

10 4. Approaches to risk management – the current picture | PHIAC

4. Approaches to risk management –

the current picture

During the last 10 years, the cornerstone of PHIAC’s regulatory oversight of the industry has been a

rolling program of fund reviews, designed to analyse the operations of each insurer, with a view to

identifying potential weaknesses in an insurer’s operations, before these weaknesses impact heavily

on the insurer’s operations and policy holders. When combined with the quarterly and annual

collection of statistics, the fund review program enables PHIAC to:

identify and analyse risks specific to each insurer in a systematic manner;

assess an insurer’s overall risk of failure; and

monitor and prioritise the management of risk across the industry.

The fund review program examines insurer risk in nine key areas:

board composition;

risk governance;

management;

strategic planning;

internal controls;

business operations;

investment;

pricing; and

capital management.

In 2009, a review of sixteen insurers identified that half were operating with informal risk management

processes; that two thirds had limited or inadequate Board or Audit Committee review; and that staff

awareness of the risk management process was less than optimal.

In January 2010, PHIAC introduced a Governance Standard to ensure that consistent and good

practice governance arrangements were in place across all insurers. Relevantly, Rule 7(1) of the

Governance Standard states:


[Insurers must have] written policies to manage the insurer’s risks [and] procedures in place

to monitor and evaluate compliance with the policy and ensure that the policy is regularly

reviewed”.2

When it commenced in January 2010, this requirement established a base level of risk management

in the industry, designed to enhance existing risk governance practices. It was left to individual

insurers to develop policies appropriate to their operations and to develop procedures which would

ensure their Boards and senior management teams could effectively monitor the risks of the insurer

on an ongoing basis.

PHIAC’s fund review program has identified that since the introduction of the Governance Standard,

the industry has adopted a broad range of approaches to meet this requirement, with significant

variability in effectiveness of these approaches and a focus on process rather than outcome.

More specifically, during 2011-12, a review of insurers’ risk management arrangements was

conducted as part of the fund review program. Whilst many of the insurers reviewed demonstrated

effective risk management practices, a significant number of those reviewed exhibited some or all of

the following issues:

Enterprise-wide risk management is generally not in place and where it is, adjustments are

needed to maximise its effectiveness.

The engagement of Boards in strategic risk management is sometimes limited in a practical

sense. Risk appetite statements may be in place but where they do exist, changes are

required to ensure they are operationalised effectively.

The quality of risk management information and data going to Boards and Committees is

often poor due to deficiencies in enterprise-wide risk management arrangements.

The use of an external, neutral assessor to review risk management is often not employed.

Risk management skills are variable and, not infrequently, quite rudimentary.

Mechanisms for engaging staff in risk management are not widely evident. Links between

staff responsibilities and risk controls are not clearly apparent.

The application of risk management as both a governance process and business process is

sometimes limited.

2 Rules 7(1)(a) and 7(1)(b) of Schedule 1 to the Private Health Insurance (Insurer Obligations) Rules 2009 (the

Governance Standard).


PHIAC considers it essential that insurers should employ a structured and systematic approach to the

identification and management of risk, given the complexity of the private health insurance business

environment and the rate of change within the industry.

The benefits of changed and improved risk management practices include:

increased likelihood of achieving business objectives;

improved communications both internally and externally;

improved governance and board oversight;

more informed decision making;

better use of resources;

improved organisational resilience;

improved fraud control; and

improved compliance with legislative and regulatory requirements.

Whilst PHIAC does not advocate a one size fits all solution to the application of risk management in

the industry, it is considering options which will achieve sound prudential outcomes through consistent

and effective risk management practices across the industry.

13 5. Reference points for the current review | PHIAC

5. Reference points for the current

review

The consequences of poor risk management are regularly highlighted by government and business

failings reported through the media. Further, the effects of the Global Financial Crisis illustrate the

new paradigm of networks, connectivity and systematic risk management requirements.

Risk management provides a recognised and demonstrable approach to improving the effectiveness

of organisational governance. Through its application, business relationships are analysed and better

understood, and decision making is better informed.

In developing options to assist insurers to benchmark their risk management, and to evaluate whether

risks are being adequately addressed, PHIAC has taken into account the following reference points:

PHIAC’s supervisory experience: PHIAC’s fund review program has highlighted the variability of

insurers’ risk management practices.

Introduction of the PHI Act: Enacted in 2007, the legislation contains provisions which specifically

empower PHIAC to make prudential standards addressing the conduct by private health insurers

of any of their affairs with integrity, prudence and professional skill.3

The Governance Standard: As set out in Schedule 1 of the Private Health Insurance (Insurer

Obligations) Rules 2009, the Governance Standard includes the requirement that insurers have

written policies to manage the insurer’s risks, and procedures in place to monitor and evaluate

compliance with the policy.

APRA Risk Management Standards: Risk management is embedded in a number of prudential

standards for approved deposit-taking institutions, and APRA stipulates specific risk management

standards for general insurers and the superannuation industry.

3 Division 163 of the Private Health Insurance Act 2007: Prudential Standards.

14 5. Reference points for the current review | PHIAC

International Frameworks for Risk Management: the International Organisation for

Standardisation (ISO) has established the ISO 31000 standard as the international standard for

risk management. ISO 31000 includes principles, framework and processes which when

implemented enable organisations to maximise the benefits of risk management. This ISO

standard is not mandated for Australian organisations.

The International Association of Insurance Supervisors (IAIS): The IAIS has issued a set of

Insurance Core Principles (ICPs) which establishes an internationally recognised framework for

the supervision of the insurance sector. Within the ICPs are specific principles and standards

relating to risk management and what regulators must require of insurers with respect to risk

management - including risk policy, compliance, internal audit and enterprise level risk

management.

The Australian Securities Exchange (ASX): has issued Corporate Governance Principles which

include a seven (7) principles on recognising and managing risk. Although these principles and

their subordinate recommendations are not prescriptive, listed companies must disclose in their

annual report any recommendations that have not been followed, and give reasons for not

following them.

Increasing systemic risk: The complexity of the modern business environment presents an

increasing exposure to systemic risk. This risk can be better managed with an appropriate risk

management framework which identifies, analyses and addresses these risks.

15 6. Options to improve risk management | PHIAC

6. Options to improve risk

management

To move forward, PHIAC is proposing three (3) options for consideration by industry stakeholders to

improve the effectiveness of risk management across the industry.

PHIAC considers that the case for improvement has been established and that changes are required

to reduce the risk of ineffective risk management within all insurers.

Option 1: Retain status quo - no additional requirements regarding

risk management arrangements

Description: No changes or additional risk management requirements beyond those already

contained in the PHI Act and the Governance Standard, which is reposed in the Private Health

Insurance (Insurer Obligations) Rules 2009.

Pros: No additional costs to insurers as there would be no change to the existing legislated

provisions.

Insurers who choose to improve the application of risk management within their organisations will do

so of their own volition, potentially improving the ownership and sustainability of changes introduced.

Insurers can choose a risk management system that best meets their business circumstances and

commitment to risk management.

Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk

management.

Recommendations for improvement in insurer risk management remain limited to the requirements

contained in the Governance Standard, which focus on the establishment of policy. Subsequently,

any substantial improvements deemed necessary cannot be required and enforced.

Compliance: No changes to current compliance obligations imposed by existing legislated provisions.

Option 2: Quasi-regulatory risk management guidance material

Description: Development and publication of guidance material to assist insurers in their

understanding and application of the elements of effective risk management. This guidance material


would draw on PHIAC’s extensive knowledge of the operations of the industry and individual insurers,

and reflect domestic and international best practice.

Pros: Potentially no or limited additional costs to insurers as there would be no change to the existing

legislated provisions.

Insurers who choose to apply the elements of effective risk management within their organisations will

do so of their own volition, potentially improving the ownership and sustainability of changes

introduced.

Guidance material would support the consistency of understanding and application of risk

management across those insurers who choose to follow it.

Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk

management.

Recommendations for improvement in insurer risk management remain limited to the requirements

contained in the Governance Standard, which focus on the establishment of policy. Subsequently,

any substantial improvements deemed necessary cannot be required and enforced.

Compliance: No changes to current compliance obligations imposed by existing legislated provisions.

PHIAC would include as part of its fund review program, the review of an insurer’s risk management

against such guidance material. Compliance with any recommendations would be discretionary.

Option 3: Development of a Risk Management Prudential Standard

to require all insurers to adopt effective risk management

practices.

Description: Development of a prudential standard which prescribes risk management principles

which insurers must comply with and apply to their operations. This standard would draw on PHIAC’s

extensive knowledge of the operations of the industry and individual insurers, and reflect domestic

and international best practice.

Pros: Consistency in the understanding and application of risk management elements across all

insurers will be achieved.

Being principles-based, the standard would allow insurers to tailor the application of the elements of

effective risk management to their operations in a way that reflects their ongoing needs and business

arrangements.


The proposed principles-based regulation will also shift the current compliance-based emphasis of

documenting risk management policies, to a holistic approach to risk management which takes into

account the entire operations of an insurer.

Cons: There will be additional costs to those insurers who do not already have the elements of

effective risk management in place. These costs may include the contracting of additional staff,

training and / or the acquisition of software to improve the monitoring and reporting on risk.

Compliance: Insurers would be required to comply with standard and demonstrate their compliance

through:

1. An annual statement of compliance to PHIAC signed by a member of the Board on behalf of

the Board indicating that the insurer has complied with the requirements of the Risk

Management Standard; and

2. Ongoing compliance with the Standard, as monitored through a rolling program of reviews

conducted by PHIAC on an insurer’s risk management arrangements.

Any compliance concerns identified, while most likely be resolved through discussion and consultation

between PHIAC and an insurer, are nevertheless able to be enforced via the Council’s powers.

Preferred option

Option 1, maintaining the status quo, is not PHIAC’s preferred option as it does not address the

identified issues of variability in the application of risk management in the PHI industry.

Both Options 2 and 3 are more likely to contribute to achieving PHIAC’s objective of improved risk

management practices. Although these two approaches will have different implementation

requirements, the high level elements within both would be similar and are discussed below in section

7.

18 7. Possible elements of risk management guidance or a prudential standard | PHIAC

7. Possible elements of risk

management guidance or a

prudential standard

Drawing on the sources noted in section 5, PHIAC considers that the principles of effective risk

management which PHIAC may consider including in quasi-regulatory guidance material, or a

prudential standard are:

1. an enterprise wide risk management framework;

2. obligations for the Board and Senior Executive to ‘set the tone at the top’ and encourage

leadership to imbed and engender a risk management culture;

3. effective systems to capture, store, analyse and utilise risk information;

4. internal communication systems which ensure that all staff understand and are committed to

implementing risk management strategies; and

5. access to appropriate risk management skills and knowledge.

Most of these principles feature as orthodox elements in a range of risk management publications,

standards and frameworks, both within Australia and internationally. The one exception is the element

requiring the establishment of an enterprise wide risk management framework.

PHIAC is of the view that such a framework will form the basis for the successful integration of risk

management into the governance and management arrangements of an insurer. An enterprise wide

risk management framework identifies and brings together the organisational components that

contribute to the overall purpose of an insurer, and if created and applied appropriately, improves the

understanding of the relationships between risk and control at all levels of the business.


The following table expands on these principles of effective risk management.

1. Establish an enterprise wide risk management framework

Requirement Benefits Demonstrated by

1.1. An Enterprise-wide Risk

Management (ERM)

framework be established by

the insurer and approved by

the insurer’s Board.

Improves visibility of risk in

the organisation and links

the objectives of the insurer

to its risk management

processes.

The existence of an ERM

framework. Evidenced by board

minutes indicating consideration of

the framework by the board and

its approval.

1.2. The ERM framework forms

part of an insurer’s

governance arrangements.

Senior executives and

managers understand the

framework.

Risk management

becomes an integral part of

governance and the

business management

model of the insurer.

The integration of the ERM

framework with performance

management, reporting,

subordinate committees, audit and

organisational structure.

1.3. Risk management is

integrated with business

planning processes and used

to inform the establishment of

strategies and actions in

business plans.

Improves the focus of

strategies and actions in

business plans on

achieving objectives.

Increases stakeholder

involvement.

Risk assessment reports against

objectives in business plans.

Evidence of control activities in

business plans.

1.4. Contingency plans are

prepared to ensure that

critical business operations

are safeguarded as far as

possible.

Enhanced business

resilience.

Improved understanding of

the critical business

processes within an

insurer.

Business continuity plans.

Business impact analysis

documents.

1.5. Insurers integrate risk

management processes into

the development of project

plans and activities.

More effective project plans

and activities increasing

the likelihood of successful

projects.

Risk assessment reports against

project deliverables. Evidence of

control activities being translated

into project plans.


2. Board and senior executive leadership


2.1 The Board is responsible for

managing strategic risk.

Leverage off the skills and

experience of board

members. Set an

appropriate tone at the top

regarding the application of

risk management.

Strategic risks identified and

approved by the board including

an agreed understanding of the

controls/response to these risks.

The risk appetite is approved by

the board.

2.2 The Board is to get regular,

credible information from

management about identified

risks, the operation of

controls and the compliance

with internal policies and

laws.

The Board can focus on

strategic issues, risks and

controls in the knowledge

that operations are under

control and that information

about operations is timely,

accurate and reliable.

Risk reports provided on a

regular basis to the board that

reflect the design and application

of the ERM framework.

2.3 Risk management

information is taken into

account when important

decisions are being taken.

Decision-makers have more

information to inform

decisions.

Key or strategic decisions taken

by the board or senior

management are documented

and include information about

the risks to success, the

effectiveness and costs of

control and the likely

consequences (positive and

negative) of the decision.

2.4 Every five years the ERM

framework should be subject

to external review.

Provides assurance to the

board and other

stakeholders that the

insurer’s ERM framework is

operating effectively and

maximises the application of

risk management within the

organisation.

A report from the review of the

ERM framework to the board.


3. Capturing, storing, analysing and utilising risk management information


3.1 The ERM framework is to

ensure that information about

risk moves effectively from

operational to strategic areas

of the business and vice

versa.

The operational areas of the

insurer have a mechanism to

escalate concerns about risk

levels or the effectiveness of

control activities.

An ERM framework that

identifies relationships between

risks and objectives across the

organisation. Risk reports

contain information sourced from

the operational area.

3.2 The risk register is

maintained and updated

regularly.

Risk information can be

properly captured, analysed

and reported.

A risk management software

program and evidence that

relative risk levels are regularly

reviewed by the Board, analysed

and properly understood by staff.

3.3 The ERM framework

establishes categories of risk

that reflects an insurer’s key

business and operational

objectives.

Enables the understanding

of how to manage risk within

the business environment of

the insurer. Links the

objectives of the insurer to

its risk management

processes.

Clear alignment between the

ERM framework and the

organisational structure of the

insurer.

Use of the categories of risk in

the structure of the risk register.

3.4 The Board and senior

executives and managers

receive effective and timely

information on the status of

risks and controls from all

areas of the organisation.

Effective assurance of

business control is provided

to accountable officers.

Early warning of issues

enabling preventative action

to be initiated.

The frequency and quality of risk

reports provided to the board

and senior management.

3.5 The internal audit program

should be risk based drawing

on information from the risk

register.

The internal audit program

targets areas of greatest risk

and consequence as well as

key controls.

The alignment of the internal

audit program to the ERM

framework and information from

the risk register.


4. Obtaining and maintaining staff commitment to risk management


4.1 Board and senior

management are committed

to effective risk management

and set the tone for the rest

of the organisation.

Embeds risk management

into organisational culture.

Board endorsed risk

management policy and the use

of risk management information

in reporting and decision making.

4.2 At all levels, staff see a risk

management policy that:

commits the insurer to applying

risk management;

sets risk management

objectives;

establishes risk management

governance arrangements;

defines the risk management

processes to be applied

including the engagement of

stakeholders;

outlines the insurer’s approach

to risk tolerance, risk escalation

and risk reporting; and

mandates risk management

roles and responsibilities across

the insurer.

Demonstrates the insurer’s

commitment to risk

management and works to

obtain staff commitment to

its application.

The existence of a risk

management policy with the

requisite components.

4.3 Risk management processes

are adaptable to the context

in which they are being

applied.

Enables staff flexibility in the

use of risk management

processes to meet their

needs. Engenders

commitment.

Risk assessments are

appropriately adapted to their

purpose and are regularly

reviewed and updated.

4.4 All significant risks of an

insurer have a responsible

officer or risk owner.

Ensures risks are managed

and reported.

Documents listing risk owners of

all high level risks. Position

statements and/or performance

agreements with clear risk

management responsibilities.

4.5 Staff understand the

connection between their

conduct and risk in the

management of the

organisation.

Integrates staff behaviour

into the overall control

framework of the insurer.

Risk management responsibility

statements in performance

agreements. Involvement of staff

in risk assessment workshops.


5. Risk management skills and knowledge


5.1 Board, senior executives and

employees are provided with

risk management training and

ongoing support.

More effective application of

risk management processes

including analysis of risk and

design of controls.

Risk management training

programs.

Facilitated risk management

workshops. Specialist risk

management function. Quality of

risk management reports.

5.2 Risks are described in a way

that supports the application

of risk management

processes.

A common understanding of

risks. Enables a detailed

analysis of risk resulting in

more effective design of

controls.

Listing of high level risks. Risk

reports detailing analysis and

control development processes.

5.3 Insurers have access to a

specialist risk management

capability.

Supports consistent and

ongoing application of risk

management.

The existence of a risk

management function or role

within the organisational

structure.

24 8. Assessment of options | PHIAC

8. Assessment of options

PHIAC seeks feedback on the options presented in this discussion paper from industry, consumers

and other interested stakeholders. To assist PHIAC’s analysis of the options, submissions should

evaluate the relative merits of each of the three (3) options, and, where practicable, the costs

associated with the potential implementation and ongoing compliance of each proposal.

Following receipt of submissions, PHIAC will analyse the options to improve the effectiveness of risk

management in the private health insurance industry. This analysis will consider all views of the

options presented in this discussion paper, in terms of:

potential to achieve the desired outcome;

cost of implementation to industry and consumers; and

ongoing compliance requirements.

The assessment of options will be largely influenced by the feedback, comments and submissions

received.

25 9. Invitation to Comment | PHIAC

9. Invitation to Comment

This discussion paper outlines options for improving the effectiveness of risk management

arrangements in private health insurers. PHIAC invites submissions on any element of the paper but

is specifically interested in stakeholder views on the abovementioned three (3) options for

improvement, and the extent to which each option will potentially:

achieve the required improvements in risk management;

impose unnecessary or unjustified costs on insurers; and / or

impose excessive compliance obligations on insurers.

All information (including name and address details) relating to a submission may be made publicly

available via PHIAC’s website, and may be referenced in future PHIAC papers and reports. If you

prefer that some, or all, of your submission remains in confidence, you should state this in your

submission and the confidential material should be clearly identified and included in a separate

attachment. You should carefully consider the information contained in your submission as the

confidentiality of your response might be affected by legal requirements such as the Freedom of

Information Act 1982.

PHIAC invites submissions and requires that they be received on or before COB Friday, 15 March

2012. Submissions can be emailed to [email protected] or sent to:

General Manager, Industry Operations

Private Health Insurance Administration Council

PO Box 4549

KINGSTON 2604

mailto:[email protected]

26 10. Next steps | PHIAC

10. Next steps

The next steps in the review of risk management arrangements in insurers include:

Date: 2013 Action

21 January Discussion Paper issued for a 8 week consultation period

15 March Discussion Paper submissions due

March/April PHIAC consideration of feedback, comments and submissions

May Second Discussion Paper issued for another 8 week consultation period

June/July Second Discussion Paper submissions due

July/August PHIAC consideration of feedback, comments and submissions

2nd half 2013 Adoption of preferred option

27 11. Abbreviations used in this paper | PHIAC

11. Abbreviations used in this paper

ACCC Australian Competition and Consumer Commission

APRA Australian Prudential Regulation Authority

ASIC Australian Securities and Investments Commission

ASX Australian Securities Exchange

Board The board of directors of a private health insurer

COB Close of business (usually 1700hrs)

ERM Enterprise Risk Management Framework

FOI Act Freedom of Information Act 1982

Fund The health benefits fund or funds of an insurer registered under the Private

Health Insurance Act 2007

IAIS International Association of Insurance Supervisors

ICP Insurance Core Principles issued by the IAIS

Insurer A private health insurer registered under the Private Health Insurance Act

2007

ISO International Organisation for Standardisation

PHIAC The Private Health Insurance Administration Council

PHI Act The Private Health Insurance Act 2007

28 12. Relevant legislative extracts | PHIAC

12. Relevant legislative extracts

Extracts from the Private Health Insurance Act 2007

Section 163-1 Private Health Insurance (Insurer Obligations) Rules to establish prudential standards

(1) The Private Health Insurance (Insurer Obligations) Rules may establish prudential standards

(2) Prudential matters are matters relating to:

(a) the conduct by private health insurers of any of their affairs in such a way as:

(i) to keep themselves in a sound financial position; or

(ii) not to cause or promote instability in the Australian private health insurance

system; or

(b) the conduct by private health insurers of any of their affairs with integrity, prudence

and professional skill;

but does not include matters relating to the solvency or capital adequacy of health benefits

funds.

(3) A *prudential standard may impose different requirements to be complied with:

(a) by different classes of private health insurers; or

(b) in different situations; or

(c) in respect of different activities.

(4) A *prudential standard may provide for the Council to exercise powers and discretions under

the standard, including but not limited to discretions to approve, impose, adjust or exclude

specific prudential requirements in relation to a particular private health insurer or a particular

class of private health insurers.

(5) A *prudential standard takes effect on the day on which it is established in the Private Health

Insurance (Insurer Obligations) Rules, or on such later day as is specified in the Private

Health Insurance (Insurer Obligations) Rules.


*Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations)

Rules.

Section 264-10 Functions of the Council

General

(1) The functions of the Council are:

(a) to administer the Risk Equalisation Trust Fund; and

(b) to administer the registration of private health insurers under Part 4-3; and

(c) the information collection function under subsection (2); and

(d) the compliance functions under subsection (3); and

(e) the enforcement functions under subsection (4); and

(f) the public information functions under subsection (5); and

(g) the agency cooperation functions under subsection (6); and

(h) to advise the Minister about the financial operations and affairs of private health

insurers; and

(i) functions incidental to any other functions of the Council; and

(j) any other functions conferred on the Council by this, or any other, Act.

Information collection function

(2) The information collection function of the Council is to obtain from each private health insurer

regular reports about the insurer’s operations, including reports supported by actuarial

certification.

Compliance functions

(3) The compliance functions of the Council are:

(a) to establish a *solvency standard and a *capital adequacy standard to be complied

with by private health insurers, and to give solvency directions and capital adequacy

directions to private health insurers; and


*Note: The solvency standard and the capital adequacy standard are established by the Private

Health Insurance (Health Benefits Administration) Rules.

(b) to exercise powers and discretions under the *prudential standards, and to give

directions to private health insurers relating to compliance with the prudential

standards; and

*Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations)

Rules.

(c) to consider, in accordance with Division 160, whether persons should, or should not,

be appointed actuaries; and

(d) to consider, in accordance with Division 166, whether persons should, or should not,

be disqualified persons; and

(e) to examine, from time to time, the financial affairs of private health insurers, by the

inspection and analysis of the records, books and accounts of the insurers and any

other relevant information; and

(f) to review, by carrying out independent actuarial assessment, the value of the assets

and liabilities of each health benefits fund; and

(g) if it is necessary, for the purpose of making a proper examination of the financial

affairs of a private health insurer, for the Council to incur unusually high costs—to

impose an appropriate fee on the private health insurer concerned.

Enforcement functions

(4) The enforcement functions of the Council are:

(a) to take action under Part 5-2 to monitor compliance with, and to encourage or compel

compliance with, Council-supervised obligations; and

(b) to appoint, under section 214-1, inspectors for the purpose of investigating the affairs

of private health insurers under Division 214, and to exercise other related powers

and functions of the Council under that Division; and

(c) to appoint, under Subdivision 217-B, persons as external managers of health benefits

funds, and to exercise other related powers and functions of the Council under

Division 217 and 220


Public information functions

(5) The public information functions of the Council are:

(a) to make statistics, and other financial information, relating to a private health insurer

or private health insurers, publicly available in accordance with the Private Health

Insurance (Council) Rules; and

(b) to collect and disseminate information about private health insurance, for the purpose

of enabling people to make informed choices about private health insurance.

Agency cooperation functions

(6) The agency cooperation functions of the Council are:

(a) to cooperate with other regulatory agencies on matters affecting private health

insurers and the private health insurance industry generally; and

(b) to provide the Private Health Insurance Ombudsman, from time to time, with

information in the Council’s possession that the Council considers likely to be of use

in production of the State of the Health Funds Reports referred to in paragraph

238-5(c).

Risk Management for private health · PDF file6 2. Risk management and private health...

Documents

Transcript of Risk Management for private health · PDF file6 2. Risk management and private health...