The first month of the year is called after a Roman God, Janus, who is usually depicted with 2 faces, one looking back and one looking forward. Janus is associated with new beginnings and gateways.
What is perhaps lesser known is that Janus is associated not only with the month of January but also lends his name to the word janitor.
It is customary in January to read about the past year’s events as well as predictions for the year ahead.
I will not dedicate my first piece of 2012 on speculation of expected 2011 results (the good, the bad and the ugly). Nor will I try to predict whether reinsurance will harden following the relative instability of the Euro or the ongoing global political and economic sagas.
Instead I will refer to some past and current events in relation to a topic which the GCC market has been giving lip service for very long but, in general doing very little about it: Corporate governance. Although corporate governance and prudential regulations go hand in hand, the two are not the same and one should not depend on the other. Many companies have often pointed fingers at regulators for doing too little in this respect. However, in reality, corporate governance concerns the internal affairs of an enterprise.
Self-Discipline and Competence
Although technical or economic reasons have been cited for the past decade when market stalwarts such as, for example, in Dubai, Abu Dhabi, Oman etc. have been brought to their knees, behind these reasons there is always a lapse in corporate governance. This is not just a regional phenomenon. Ashby et al (FSA, 2002) in their paper, ‘Lessons about Risk: Analysing the Causal Chain of Insurance Company Failure,’ discuss the findings of the 2001 EU Insurance Supervisors’ Conference analysing 21 supervisory cases of failures or near failures of insurance companies from 15 different countries came to essentially the same conclusions namely:
- although no cause is singularly responsible for the failure of a company;
- Common causes in all cases are what they called ‘sloppy’ management and the inter-related governance / systems lapses;
- Even in the two cases which prima facie no lapse of governance was evident, upon further investigation it was revealed that this played a decisive role in the companies’ failure.
Similarly in USA, Grace et al (George State University, 2003) studying the failure of 250 property and casualty insurance companies in the USA between 1986 and 1999, built their hypotheses on three main components augmenting insolvency costs. One of these was specifically the moral hazard attached to management decisions and/or behaviour of troubled insurance joint-stock companies.
Oman Insurance Company’s recent announcement of a formidable senior management suite, including a head of distribution who also previously had ERM experience as well as a ‘tried and tested’ head of internal audit are certainly steps in the right direction. The company’s results may still have to travel south before going north again but when people marvel at magnificent edifices they tend to overlook the fact that these stand on a sturdy foundation. These changes are perhaps the necessary foundation work after a 2011 of debris removal. The reason why some heads rolled in 2011 may manifest itself in financials. Passing technical performance through an ERM/ governance sieve may help us draw not only certain conclusions but also lessons on how individuals, teams and boards ought to behave.
Many insurance companies in the region should follow the cue in 2012 and take a very close look at their internal corporate governance regimes, the authority limits and the oversight structures. They should ensure that no CEO or Managing Director reigns supreme; and this above all for his or her own protection as well as that of the company and its stakeholders. This admonition is aimed at all insurance companies active in the region but even more so to the ones that are onshore regulated in jurisdictions where regulation is still work-in-progress.
An ‘A’ rating is not necessarily a universal ‘carte blanche’ on a company’s health and wellbeing. The larger companies in the region have all been too obliging with credit rating agencies to prove that the necessary risk management and governance regimes were in place. But one should hasten to ask, “To what extent have these been cosmetic?” Try as they might, rating agencies are generally beyond their depth when deliberating on potential results that do not necessarily emerge from number-crunching. For example, hypothetically, would they have flagged a name of a person on an OFAC list if it is uncanningly similar to someone in a responsible position within, say, a regional ‘A’ rated insurance group? Or do they just brush over these and other issues (TOBAs, KYCs, sanctions procedures, oversight processes etc.)? It is such, perhaps seemingly small, current misgivings (white lies and venial sins masterfully covered in make-up, or not) that like wood-worm collectively dilapidate an enterprise bringing it to its knees. ERM and corporate governance are more qualitative then they are quantitative. This is not something that can be easily modelled. One needs not only the nose for it but also the intestinal capacity to walk the talk. Take it from a whistle-blower.
Internal Audit and ERM
Traditionally, internal audit and ERM functions in insurance companies within the region have not communicated effectively and significant synergy between the two has been lost. There may also be merit in merging the operational functions at the ERM and internal audit coal face whilst maintaining their independent reporting lines at board level.
Both internal audit and ERM/GRC operate at arm’s length of other functions within the company. Both have a relative degree of independence. The main differences between internal audit and ERM/GRC process are that:
- Whereas Internal Audit operates at a micro-level, i.e. identifying and reporting individual non-compliance areas;
- ERM/ GRC operate more at a macro-level measuring actual performance against risk appetite and risk tolerance (represented by the traffic light system, risk dashboard, heat maps etc.).
- Also, internal audit identifies and reports (and is more ‘surgical’ in its approach) whereas ERM/GRC identifies, analyzes and recommends corrective action (i.e. is more systematic and holistic in approach).
- From a cultural and/or governance perspective, internal audit is already entrenched at Board of Directors (or Board Committee) level. ERM / GRC, other than oversight, is not.
These differences serve to augment the synergy potential between the two processes as well as reinforcing the argument for greater cohesion between them.
2012 will be a better year than 2011 for the regional insurance industry in terms of business growth. I hope we will also see greater wholesale acceptance of internal corporate governance as the precursor of sustainable long term growth. If we do not learn from history we are otherwise doomed to repeat it.