COVID-19 and Risk Management for the Insurance Sector

COVID-19 and its widespread economic challenges have highlighted the importance for insurers to review the strength of their risk management frameworks, perform robust stress testing to assess potential resilience to severe downturns, and consider their role in vaccine rollouts and the management of emerging risk exposures.

The Australian Prudential Regulatory Authority (APRA) has especially called attention to insurers’ risk management frameworks and the stress testing activities used to inform capital, crisis and risk management.

This blog covers the recent letter from APRA requesting several general insurers to review their risk management frameworks, APRA’s stress testing on insurers based on COVID induced scenarios and the key findings, and additional risk considerations for insurers given the current vaccine rollout.

APRA’s review of insurance risk management frameworks

On 19 July 2021, APRA issued a letter to several general insurers, requiring them to review the soundness of their risk management frameworks (RMFs) due to recent issues with business interruption (BI) insurance.

With the rise in potential BI claims due to COVID restrictions and lockdowns, many insurers are exposed through policy wording that lacks clarity and does not reflect current legislation due to pandemic exclusion clauses referencing archived legislation.

This has raised APRA’s concerns regarding the strength of insurers’ RMFs. Insurers who received the letter from APRA are expected to undertake a self-assessment of their RMFs with a focus on not only BI but also cyber risk and a consideration of the broader RMF across all areas. The purpose of the self-assessment is to reduce the likelihood of a similar problem occurring in the future, in terms of exposure and legal uncertainty.

“Where the self-assessments identify material concerns, APRA will consider whether further supervisory action is warranted. The consolidated findings will also be published to send clear messages to all insurers around observed weaknesses, better practice, and the importance of maintaining robust insurance risk management frameworks.” – APRA Deputy Chair Helen Rowell

Attached to the letter was guidance material to assist with the self-assessment, which APRA encourages all insurers (not only those in receipt of the letter) to consider in reviewing their own risk management practices.

Timing of the self-assessment

Self-assessments are due to be completed and submitted to APRA (no more than 20 pages in total) by 30 November 2021.

Once received, APRA will analyse and benchmark the results. Consolidated results will be released publicly, focusing on learnings and better practice. Specific entity feedback will be provided in early 2022.

What does the self-assessment involve?

The self-assessment required by APRA consists of three parts:

1. Part A

The insurer is asked to review the robustness of certain risk control/elements within its insurance risk management framework, assess whether these were effective in the context of identifying or mitigating BI issues, and identify areas for improvement. Insurers are to consider the effectiveness of controls to address risk associated with the following insurance risk elements:

Product life cycle management
Reinsurance
Underwriting and distribution
Assurance
Governance

2. Part B

The insurer is then required to assess the extent to which the insurance risk management framework, including any improvements determined in Part A, would be effective in mitigating similar issues emerging within other product lines to those experienced with BI. In this assessment, insurers are to focus on:

Silent cyber exposure across their product lines, i.e. where there is no specific inclusion (affirmative) or exclusion of cyber risks in the policy wording – including how each risk was assessed, quantified, managed and/or mitigated or if no exposure is identified, how the insurer came to this conclusion; and
Affirmative cyber products (where cyber risks are specifically written in the policy wording) – alternative products may also be proposed for assessment, considering heightened insurance risk factors such as new products, new wordings, emerging exposures high exposure limits, broker wordings and delegated underwriting authorities.

3. Part C

To provide an appropriate level of assurance on the self-assessment, the insurer’s internal audit function is to review and attest as to the adequacy and robustness of the process undertaken to arrive at the findings of Parts A and B of the assessment. The insurer may obtain this assurance by another method (e.g. external independent review), however this needs to be agreed with APRA.

The board of the insurer is required to endorse the self-assessment and note on what basis the endorsement has been provided, i.e. how it assured itself that the exercise was sufficiently comprehensive and performed to a high degree of objectivity and accountability.

COVID-19 and insurer stress testing

APRA uses stress testing to provide forward-looking assessments of the resilience of its regulated entities to severe yet realistic downturns.

In the wake of the COVID pandemic and the changing risks faced by insurers, APRA conducted a series of stress testing activities on life and general insurers during 2020. APRA conducted several stress tests with:

The 21 largest life insurers, covering 90 percent of the sector by gross written premium.
Four active lenders mortgage insurers, covering most of the sector by gross written premium.

APRA’s stress tests of life insurers and lenders mortgage insurers featured two separate severe downturn scenarios designed by APRA, assuming continued COVID-19 outbreaks within Australia followed by recurring Stage Three and Four restrictions, ongoing international border closures, and sharp contractions in economic activity over a three-year period.

As well as life insurers and lenders mortgage insurers, APRA also completed an assessment of internal stress testing capabilities of the 18 largest general insurers to identify how they could enhance their capital management practices and improve their resilience to adverse conditions.

APRA received information from insurers used to inform assessments of their stress testing capabilities, including how effectively stress test outcomes are internally challenged, engagement of the board and senior management in stress testing, and how stress tests are used to inform capital management decisions.

Key findings

APRA’s stress tests of life insurers and lenders mortgage insurers reveal that these insurers are well-positioned to withstand a very severe economic downturn. Even with significant losses of capital in these severe stress scenarios, both industries would generally remain above their minimum capital requirements, while still meeting their commitments to policyholders. Further, it’s worth noting that these results are before any benefits from management actions to respond to the stress event. APRA notes that variations in capital impacts between individual insurers were due to different business models, portfolio composition and levels of reinsurance coverage.

This highlights the importance of insurers regularly using stress testing under a wide range of scenarios – including sufficiently severe downturns – to test the boundaries of their capital levels, especially as key risks evolve.

APRA’s assessment of GIs’ stress testing capabilities revealed that several insurers developed and used internal stress test scenarios that were severe enough for them to respond to the stress via management actions but were not severe enough to test the limits of their capital adequacy.

The stress tests have also reinforced APRA’s view that there remains room to improve stress testing capabilities across the insurance industry, particularly as regular stress testing should form a key part of insurers’ capital management decisions.

The role of insurers in the COVID-19 vaccine rollout

As insurers review their risk management frameworks, as informed by stress testing, the consideration of emerging risk exposures should include the potential role of general insurers in the vaccine rollout process. This includes the risks associated with any specific underwriting of vaccination indemnification programs, where relevant, as well as the potential for coverage of exposures under existing policy wordings for various insureds.

As the vaccination of the Australian population against COVID-19 ramps up, this invites a variety of new risks, including transport, logistics, crime and cyber-attacks:

Incorrect storage and transportation – for vaccines that need to be kept at specific temperatures to remain viable.
Criminal activity – theft and illegal sale of authentic vaccines, counterfeiting and substitution with pharmaceuticals.
Cyber-attack – targeting data around viable vaccines and their testing, as the COVID-19 vaccine has taken on political symbolism with knowledge on the vaccine’s efficacy being equated with the power.
Short or long term side effects (including death) – vaccine injury compensation, especially for general practitioners who administer the vaccine and corporates who choose to aid the vaccine rollout for their employees.

General insurers will need to be cognisant of such risks when underwriting or maintaining relevant covers and assessing associated risk mitigations, particularly for the transportation of vaccines across the world. For example, as some vaccines must be kept at extremely low temperatures, this makes them fragile. The fragility of these vaccines adds to logistics and supply chain challenges to ensure the vaccines are transported under the right conditions. As a result, the potential issues in transporting vaccines may cause the premiums of some insurance products to rise.

With regards to indemnification programs, Federal and State Governments are managing the vaccine rollout via bulk vaccination hubs, and the Federal Government is in the process of negotiating an indemnification scheme for the provision of vaccinations via general practitioners. Some of the risk is managed via individual informed consent, particularly for younger Australians taking up the AstraZeneca vaccine.

In terms of corporate vaccination policies and rollouts, SPC and Qantas are the first two Australian employers to make vaccination mandatory to be able to work. The details around how these corporates are managing the associated risk exposures are not currently publicly available.

The question is, how will the risks and costs associated with these rollouts be allocated? Insurers will need to ask these questions internally and consider any risks passed on by governments, pharmaceutical companies, distributors, health professionals and corporates through increased or continued insurance coverage.

How Hall Advisory can help

Hall Advisory offers practical expertise in risk management and regulatory compliance across the financial services sector, including insurance.

Our core services include independent triennial or adhoc reviews of the complete risk management framework for an organisation, giving consideration to the changing and emerging risks posed by the business and industry environment.

We also assist our clients with the development and enhancement of risk management frameworks, including:

Risk appetite statements and tolerance limits.
Risk culture frameworks and independent diagnostics.
Risk assessment, aggregation and connectivity.
Insurance/reinsurance strategies, policies and procedures, including the review of policy wording in light of changing circumstances and legislation.
Operational risk management frameworks and modelling tools.
Business continuity, cyber risk (in conjunction with our specialist partners) and data management frameworks.

For external assistance with your organisation’s risk management framework, contact us today and let’s start with a confidential, no-obligation conversation about how we can help you.