1 1. Submissions and Enquiries | PHIAC
Disclaimer
This is a discussion paper whose purpose is to stimulate discussion, debate and feedback to the Private Health Insurance
Administration Council. The Private Health Insurance Administration Council disclaims any liability for any loss or damage
arising out of any use of this paper. The Private Health Insurance Administration Council encourages private health
insurers to seek independent advice and to exercise care in relation to any material contained in this paper.
Consultation
Paper
RISK MANAGEMENT
FOR PRIVATE
HEALTH INSURERS January 2013
2 1. Submissions and Enquiries | PHIAC
1. Submissions and Enquiries
The Private Health Insurance Administration Council (PHIAC) invites submission on the contents and
the potential regulatory impact of this discussion paper. Submissions and enquiries may be directed
to:
General Manager, Industry Operations
Private Health Insurance Administration Council
PO Box 4549
KINGSTON 2604
(02) 6215 7900
www.phiac.gov.au
Important
Submissions should be in writing provided to PHIAC by Friday, 15 March 2013.
Submissions may also be the subject of a request for access made under the Freedom of Information
Act 1982 (FOI Act). PHIAC will determine such requests, if any, in accordance with the provisions of
the FOI Act.
Accessing this paper online
This report, together with further information about PHIAC and the private health insurance industry
can be accessed from PHIAC’s website www.phiac.gov.au.
Use of this Paper
While PHIAC endeavours to ensure the quality of this publication, it does not accept any responsibility
for the accuracy, completeness or currency of the material included in this publication and will not be
liable for any loss or damage arising out of any use of, or reliance on, this publication.
This publication is available for your use under a Creative Commons Attribution 3.0 Australia licence,
with the exception of the Commonwealth Coat of Arms, photographs, images, signatures and where
otherwise stated. The full licence terms are available from
http://creativecommons.org/licenses/by/3.0/au/legalcode.
3 1. Submissions and Enquiries | PHIAC
Use of PHIAC material under a Creative Commons Attribution 3.0 Australia licence requires you to
attribute the work (but not in a way that suggests that the PHIAC endorses you or your use of the
work).
PHIAC material used ‘as supplied’
Provided you have not modified or transformed PHIAC material in any way including, for example, by
changing the text; calculating percentage changes; graphing or charting data; or deriving new
statistics from published PHIAC statistics — then the PHIAC prefers the following attribution:
Source: Private Health Insurance Administration Council
Derivative material
If you have modified or transformed PHIAC material, or derived new material from those of PHIAC in
any way, then PHIAC prefers the following attribution:
Based on Private Health Insurance Administration Council data
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are set out on the It’s an Honour website (see
www.itsanhonour.gov.au)
Disclaimer
The purpose of this discussion paper is to stimulate discussion, debate and feedback to the PHIAC. It
is not a position paper and the information canvassed in it does not constitute recommendations or
legal advice. While PHIAC endeavours to ensure the quality of this paper, it does not accept any
responsibility for the accuracy, completeness or currency of the material included in this paper, and
will not be liable for any loss arising out of any use of, or reliance on, this paper. PHIAC encourages
private health insurers to seek independent advice and to exercise care in relation to any material
contained in this paper.
4 1. Submissions and Enquiries | PHIAC
Table of Contents
1. Submissions and Enquiries ................................................................................................................. 2
2. Risk management and private health insurance ................................................................................. 5
3. Regulatory context .............................................................................................................................. 8
4. Approaches to risk management – the current picture ..................................................................... 10
5. Reference points for the current review ............................................................................................ 13
6. Options to improve risk management ............................................................................................... 15
Option 1: Retain status quo: no additional requirements regarding risk management
arrangements ................................ ................................ .............................................. 15
Option 2: Non-binding risk management guidance material .............................................. 15
Option 3: Development of a Prudential Standard to require all insurers to adopt effective risk
management practices................................. ................................ ................................ . 16
7. Possible elements of risk management guidance or a prudential standard ..................................... 18
8. Assessment of options ...................................................................................................................... 24
9. Invitation to Comment ....................................................................................................................... 25
10. Next steps ....................................................................................................................................... 26
11. Abbreviations used in this paper ..................................................................................................... 27
12. Relevant legislative extracts ........................................................................................................... 28
5 2. Risk management and private health insurance | PHIAC
2. Risk management and private
health insurance
The private health insurance industry is an enduringly important component of the Australian health
system. For over one hundred years it has provided peace of mind through financial support and
protection to policy holders and their families when they access health care in Australia.
Broad community support for private health insurance (PHI) is borne out by the fact that more than
50% of Australians (in excess of 12.3 million people) currently having some form of health insurance.
Recent years have seen the industry move in new directions with more targeted industry advertising,
service provision to assist in the management chronic diseases, increased reliance on brokers and
the establishment of the government website privatehealth.gov.au. The result has been a wider
range of products addressing a more sophisticated array of consumer needs.
While these developments have generally been seen as a positive contribution to the private health
insurance offering the corollary has been increasing complexity in a product area that is already
viewed by many as challenging – market research indicates that around half of Australian health
decision makers without PHI admitted that they just don’t think about it because it’s too confusing ,1
while close to 8 in 10 people believe that private health insurance urgently needs to be simplified
(IPSOS: 182). The future of PHI in Australia seems set to present further challenges as consumers
grapple with ever-increasing choices in a broadening and evolving product set with associated
informational, commercial, and risk issues.
The Private Health Insurance Administration Council (PHIAC) plays an important role in ensuring the
industry remains competitive, efficient and financially sound. We achieve this through an ongoing
program of fund reviews, the collection and dissemination of industry statistics, and the provision of
advice to government, other regulators and consumers on the state of the industry.
PHIAC also plays an important role in ensuring that consumers of PHI are protected. Primarily this is
achieved by ensuring the financial soundness of the industry, and through provision of key information
1 IPSOS, Health Care & Insurance Australia, 2011 report, p. 411.
6 2. Risk management and private health insurance | PHIAC
to assist consumers to make well informed decisions about private health insurance for themselves
and their families.
These responsibilities are made explicit in the Private Health Insurance Act 2007 (PHI Act) which
states that PHIAC should take all reasonable steps to strike an “appropriate balance” between three
sometimes competing objectives, namely:
fostering an efficient and competitive health insurance industry;
protecting the interests of consumers; and
ensuring the prudential safety of individual private health insurers.
It is within this context that PHIAC has been reviewing the effectiveness of the risk management
practices being used across the Australian private health insurance industry, and discussing potential
strategies for strengthening these practices directly with individual insurers. PHIAC’s ongoing program
of fund reviews continues to highlight variability in the effectiveness of risk management in the
industry. This raises a prudential concern which PHIAC must, in the proper discharge of its role,
address.
This paper has been prepared to generate discussion within the industry about the adequacy of
existing risk management practices, to raise awareness of PHIAC’s expectations in relation to risk
management, and to discuss options to enhance risk management practices across the industry.
The paper develops the range of risk management concepts canvassed with the industry at the
PHIAC seminars held across Australia in July and August 2012. In particular, this paper seeks to
advance that discussion by proposing three approaches or options for improving the effectiveness of
risk management within private health insurers. Accordingly, the options for discussion are:
Option 1: Retain the status quo - no changes to existing arrangements.
Option 2: Promulgation of non-binding, quasi-regulatory risk management guidance materials
for the industry.
Option 3: Development of a Risk Management Prudential Standard to require all insurers to
adopt effective risk management practices.
PHIAC welcomes feedback on the discussion paper by the industry, consumers and other interested
stakeholders. To assist PHIAC’s ongoing analysis of the issue, submissions should evaluate the
relative merits of each option, and, where practicable, analysis of the potential compliance costs of
each proposal.
7 2. Risk management and private health insurance | PHIAC
Receipt of such contributions will ensure that PHIAC can develop its consideration of this issue with
the benefit of feedback which is well-informed, and which improves its capacity to ensure that policy
holders are protected without unduly burdening the industry.
This paper marks the beginning of at least two rounds of industry consultation. Depending on the level
of feedback received, it is envisaged that a second consultation round will occur in mid-2013. The
second paper will provide feedback on the options canvassed in the first paper and if necessary,
additional information to support the consultation process. Comment on this first discussion paper
must be received by PHIAC on or before COB Friday 15 March 2013.
8 3. Regulatory context | PHIAC
3. Regulatory context
PHIAC engages with the industry primarily through a rolling program of fund reviews and desk top
reviews, a quarterly review of key industry statistics, regular face-to-face meetings, workshops and
electronic communications. This ensures PHIAC has an up-to-date and sound understanding of each
insurer’s operations, and a strong evidence base for any regulatory activity. The industry benefits from
these exchanges in being kept updated in relation to key changes in the sector, and by having access
to PHIAC’s independent risk analysis methodologies to assist in identifying and resolving potential
weaknesses in an their operations.
PHIAC exercises a decision-making role in a range of industry transactions, including applications for
registration, conversions to for-profit, mergers and acquisitions. In applying to PHIAC for appraisal
and / or approval of these and other proposed transactions, the applicant must be able to
demonstrate a sound business case, an ability to comply with all legislative requirements and that,
during the transaction, policy holder interests will be protected.
Divisions 140 and 143 of the PHI Act describe PHIAC’s responsibility to develop financial standards
for the industry, the Solvency and Capital Adequacy Standards (Capital Standards). The Capital
Standards require insurers to retain sufficient capital to ensure their health benefits fund(s) remain
solvent and holding sufficient capital to meet their liabilities. Monitoring compliance of the Capital
Standards is a significant part of PHIAC’s day-to-day oversight, as ongoing compliance minimises the
potential for insurer collapse.
PHIAC is also empowered under Division 163 of the PHI Act to set binding rules in a broad range of
areas to ensure that an insurers conduct their affairs with integrity, prudence and professional skill.
Since 2007, PHIAC has exercised its powers in this area by making four Prudential Standards dealing
with the topics of Appointed Actuaries (2007); Governance (2009); Disclosure (2011) and Outsourcing
(2012). PHIAC sees the design and establishment of targeted industry standards as a key control in
the proactive oversight of the industry’s affairs.
The PHI Act also explicitly sanctions PHIAC acting on a preventative basis in a range of situations.
This acknowledges the principle that it is always better that an issue be addressed early and
proactively before it has developed the capacity to impact on policy holders and damage not only the
reputation of the relevant insurers, but also, potentially, the wider industry.
9 3. Regulatory context | PHIAC
Whilst PHIAC’s preference is to resolve issues collaboratively, where PHIAC has concerns about the
long term financial position of an insurer, or has reason to believe that the affairs of an insurer are
being, or are about to be carried on in a way that is not in the interests of policy holders, it can pursue
a range of enforcement actions, including the issuing of notices and / or directions; the
commencement of investigations; request for undertakings; the appointment of external managers; or
Federal Court intervention.
10 4. Approaches to risk management – the current picture | PHIAC
4. Approaches to risk management –
the current picture
During the last 10 years, the cornerstone of PHIAC’s regulatory oversight of the industry has been a
rolling program of fund reviews, designed to analyse the operations of each insurer, with a view to
identifying potential weaknesses in an insurer’s operations, before these weaknesses impact heavily
on the insurer’s operations and policy holders. When combined with the quarterly and annual
collection of statistics, the fund review program enables PHIAC to:
identify and analyse risks specific to each insurer in a systematic manner;
assess an insurer’s overall risk of failure; and
monitor and prioritise the management of risk across the industry.
The fund review program examines insurer risk in nine key areas:
board composition;
risk governance;
management;
strategic planning;
internal controls;
business operations;
investment;
pricing; and
capital management.
In 2009, a review of sixteen insurers identified that half were operating with informal risk management
processes; that two thirds had limited or inadequate Board or Audit Committee review; and that staff
awareness of the risk management process was less than optimal.
In January 2010, PHIAC introduced a Governance Standard to ensure that consistent and good
practice governance arrangements were in place across all insurers. Relevantly, Rule 7(1) of the
Governance Standard states:
11 4. Approaches to risk management – the current picture | PHIAC
[Insurers must have] written policies to manage the insurer’s risks [and] procedures in place
to monitor and evaluate compliance with the policy and ensure that the policy is regularly
reviewed”.2
When it commenced in January 2010, this requirement established a base level of risk management
in the industry, designed to enhance existing risk governance practices. It was left to individual
insurers to develop policies appropriate to their operations and to develop procedures which would
ensure their Boards and senior management teams could effectively monitor the risks of the insurer
on an ongoing basis.
PHIAC’s fund review program has identified that since the introduction of the Governance Standard,
the industry has adopted a broad range of approaches to meet this requirement, with significant
variability in effectiveness of these approaches and a focus on process rather than outcome.
More specifically, during 2011-12, a review of insurers’ risk management arrangements was
conducted as part of the fund review program. Whilst many of the insurers reviewed demonstrated
effective risk management practices, a significant number of those reviewed exhibited some or all of
the following issues:
Enterprise-wide risk management is generally not in place and where it is, adjustments are
needed to maximise its effectiveness.
The engagement of Boards in strategic risk management is sometimes limited in a practical
sense. Risk appetite statements may be in place but where they do exist, changes are
required to ensure they are operationalised effectively.
The quality of risk management information and data going to Boards and Committees is
often poor due to deficiencies in enterprise-wide risk management arrangements.
The use of an external, neutral assessor to review risk management is often not employed.
Risk management skills are variable and, not infrequently, quite rudimentary.
Mechanisms for engaging staff in risk management are not widely evident. Links between
staff responsibilities and risk controls are not clearly apparent.
The application of risk management as both a governance process and business process is
sometimes limited.
2 Rules 7(1)(a) and 7(1)(b) of Schedule 1 to the Private Health Insurance (Insurer Obligations) Rules 2009 (the
Governance Standard).
12 4. Approaches to risk management – the current picture | PHIAC
PHIAC considers it essential that insurers should employ a structured and systematic approach to the
identification and management of risk, given the complexity of the private health insurance business
environment and the rate of change within the industry.
The benefits of changed and improved risk management practices include:
increased likelihood of achieving business objectives;
improved communications both internally and externally;
improved governance and board oversight;
more informed decision making;
better use of resources;
improved organisational resilience;
improved fraud control; and
improved compliance with legislative and regulatory requirements.
Whilst PHIAC does not advocate a one size fits all solution to the application of risk management in
the industry, it is considering options which will achieve sound prudential outcomes through consistent
and effective risk management practices across the industry.
13 5. Reference points for the current review | PHIAC
5. Reference points for the current
review
The consequences of poor risk management are regularly highlighted by government and business
failings reported through the media. Further, the effects of the Global Financial Crisis illustrate the
new paradigm of networks, connectivity and systematic risk management requirements.
Risk management provides a recognised and demonstrable approach to improving the effectiveness
of organisational governance. Through its application, business relationships are analysed and better
understood, and decision making is better informed.
In developing options to assist insurers to benchmark their risk management, and to evaluate whether
risks are being adequately addressed, PHIAC has taken into account the following reference points:
PHIAC’s supervisory experience: PHIAC’s fund review program has highlighted the variability of
insurers’ risk management practices.
Introduction of the PHI Act: Enacted in 2007, the legislation contains provisions which specifically
empower PHIAC to make prudential standards addressing the conduct by private health insurers
of any of their affairs with integrity, prudence and professional skill.3
The Governance Standard: As set out in Schedule 1 of the Private Health Insurance (Insurer
Obligations) Rules 2009, the Governance Standard includes the requirement that insurers have
written policies to manage the insurer’s risks, and procedures in place to monitor and evaluate
compliance with the policy.
APRA Risk Management Standards: Risk management is embedded in a number of prudential
standards for approved deposit-taking institutions, and APRA stipulates specific risk management
standards for general insurers and the superannuation industry.
3 Division 163 of the Private Health Insurance Act 2007: Prudential Standards.
14 5. Reference points for the current review | PHIAC
International Frameworks for Risk Management: the International Organisation for
Standardisation (ISO) has established the ISO 31000 standard as the international standard for
risk management. ISO 31000 includes principles, framework and processes which when
implemented enable organisations to maximise the benefits of risk management. This ISO
standard is not mandated for Australian organisations.
The International Association of Insurance Supervisors (IAIS): The IAIS has issued a set of
Insurance Core Principles (ICPs) which establishes an internationally recognised framework for
the supervision of the insurance sector. Within the ICPs are specific principles and standards
relating to risk management and what regulators must require of insurers with respect to risk
management - including risk policy, compliance, internal audit and enterprise level risk
management.
The Australian Securities Exchange (ASX): has issued Corporate Governance Principles which
include a seven (7) principles on recognising and managing risk. Although these principles and
their subordinate recommendations are not prescriptive, listed companies must disclose in their
annual report any recommendations that have not been followed, and give reasons for not
following them.
Increasing systemic risk: The complexity of the modern business environment presents an
increasing exposure to systemic risk. This risk can be better managed with an appropriate risk
management framework which identifies, analyses and addresses these risks.
15 6. Options to improve risk management | PHIAC
6. Options to improve risk
management
To move forward, PHIAC is proposing three (3) options for consideration by industry stakeholders to
improve the effectiveness of risk management across the industry.
PHIAC considers that the case for improvement has been established and that changes are required
to reduce the risk of ineffective risk management within all insurers.
Option 1: Retain status quo - no additional requirements regarding
risk management arrangements
Description: No changes or additional risk management requirements beyond those already
contained in the PHI Act and the Governance Standard, which is reposed in the Private Health
Insurance (Insurer Obligations) Rules 2009.
Pros: No additional costs to insurers as there would be no change to the existing legislated
provisions.
Insurers who choose to improve the application of risk management within their organisations will do
so of their own volition, potentially improving the ownership and sustainability of changes introduced.
Insurers can choose a risk management system that best meets their business circumstances and
commitment to risk management.
Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk
management.
Recommendations for improvement in insurer risk management remain limited to the requirements
contained in the Governance Standard, which focus on the establishment of policy. Subsequently,
any substantial improvements deemed necessary cannot be required and enforced.
Compliance: No changes to current compliance obligations imposed by existing legislated provisions.
Option 2: Quasi-regulatory risk management guidance material
Description: Development and publication of guidance material to assist insurers in their
understanding and application of the elements of effective risk management. This guidance material
16 6. Options to improve risk management | PHIAC
would draw on PHIAC’s extensive knowledge of the operations of the industry and individual insurers,
and reflect domestic and international best practice.
Pros: Potentially no or limited additional costs to insurers as there would be no change to the existing
legislated provisions.
Insurers who choose to apply the elements of effective risk management within their organisations will
do so of their own volition, potentially improving the ownership and sustainability of changes
introduced.
Guidance material would support the consistency of understanding and application of risk
management across those insurers who choose to follow it.
Cons: Potentially no changes to the existing variability in the effectiveness of insurer risk
management.
Recommendations for improvement in insurer risk management remain limited to the requirements
contained in the Governance Standard, which focus on the establishment of policy. Subsequently,
any substantial improvements deemed necessary cannot be required and enforced.
Compliance: No changes to current compliance obligations imposed by existing legislated provisions.
PHIAC would include as part of its fund review program, the review of an insurer’s risk management
against such guidance material. Compliance with any recommendations would be discretionary.
Option 3: Development of a Risk Management Prudential Standard
to require all insurers to adopt effective risk management
practices.
Description: Development of a prudential standard which prescribes risk management principles
which insurers must comply with and apply to their operations. This standard would draw on PHIAC’s
extensive knowledge of the operations of the industry and individual insurers, and reflect domestic
and international best practice.
Pros: Consistency in the understanding and application of risk management elements across all
insurers will be achieved.
Being principles-based, the standard would allow insurers to tailor the application of the elements of
effective risk management to their operations in a way that reflects their ongoing needs and business
arrangements.
17 6. Options to improve risk management | PHIAC
The proposed principles-based regulation will also shift the current compliance-based emphasis of
documenting risk management policies, to a holistic approach to risk management which takes into
account the entire operations of an insurer.
Cons: There will be additional costs to those insurers who do not already have the elements of
effective risk management in place. These costs may include the contracting of additional staff,
training and / or the acquisition of software to improve the monitoring and reporting on risk.
Compliance: Insurers would be required to comply with standard and demonstrate their compliance
through:
1. An annual statement of compliance to PHIAC signed by a member of the Board on behalf of
the Board indicating that the insurer has complied with the requirements of the Risk
Management Standard; and
2. Ongoing compliance with the Standard, as monitored through a rolling program of reviews
conducted by PHIAC on an insurer’s risk management arrangements.
Any compliance concerns identified, while most likely be resolved through discussion and consultation
between PHIAC and an insurer, are nevertheless able to be enforced via the Council’s powers.
Preferred option
Option 1, maintaining the status quo, is not PHIAC’s preferred option as it does not address the
identified issues of variability in the application of risk management in the PHI industry.
Both Options 2 and 3 are more likely to contribute to achieving PHIAC’s objective of improved risk
management practices. Although these two approaches will have different implementation
requirements, the high level elements within both would be similar and are discussed below in section
7.
18 7. Possible elements of risk management guidance or a prudential standard | PHIAC
7. Possible elements of risk
management guidance or a
prudential standard
Drawing on the sources noted in section 5, PHIAC considers that the principles of effective risk
management which PHIAC may consider including in quasi-regulatory guidance material, or a
prudential standard are:
1. an enterprise wide risk management framework;
2. obligations for the Board and Senior Executive to ‘set the tone at the top’ and encourage
leadership to imbed and engender a risk management culture;
3. effective systems to capture, store, analyse and utilise risk information;
4. internal communication systems which ensure that all staff understand and are committed to
implementing risk management strategies; and
5. access to appropriate risk management skills and knowledge.
Most of these principles feature as orthodox elements in a range of risk management publications,
standards and frameworks, both within Australia and internationally. The one exception is the element
requiring the establishment of an enterprise wide risk management framework.
PHIAC is of the view that such a framework will form the basis for the successful integration of risk
management into the governance and management arrangements of an insurer. An enterprise wide
risk management framework identifies and brings together the organisational components that
contribute to the overall purpose of an insurer, and if created and applied appropriately, improves the
understanding of the relationships between risk and control at all levels of the business.
19 7. Possible elements of risk management guidance or a prudential standard | PHIAC
The following table expands on these principles of effective risk management.
1. Establish an enterprise wide risk management framework
Requirement Benefits Demonstrated by
1.1. An Enterprise-wide Risk
Management (ERM)
framework be established by
the insurer and approved by
the insurer’s Board.
Improves visibility of risk in
the organisation and links
the objectives of the insurer
to its risk management
processes.
The existence of an ERM
framework. Evidenced by board
minutes indicating consideration of
the framework by the board and
its approval.
1.2. The ERM framework forms
part of an insurer’s
governance arrangements.
Senior executives and
managers understand the
framework.
Risk management
becomes an integral part of
governance and the
business management
model of the insurer.
The integration of the ERM
framework with performance
management, reporting,
subordinate committees, audit and
organisational structure.
1.3. Risk management is
integrated with business
planning processes and used
to inform the establishment of
strategies and actions in
business plans.
Improves the focus of
strategies and actions in
business plans on
achieving objectives.
Increases stakeholder
involvement.
Risk assessment reports against
objectives in business plans.
Evidence of control activities in
business plans.
1.4. Contingency plans are
prepared to ensure that
critical business operations
are safeguarded as far as
possible.
Enhanced business
resilience.
Improved understanding of
the critical business
processes within an
insurer.
Business continuity plans.
Business impact analysis
documents.
1.5. Insurers integrate risk
management processes into
the development of project
plans and activities.
More effective project plans
and activities increasing
the likelihood of successful
projects.
Risk assessment reports against
project deliverables. Evidence of
control activities being translated
into project plans.
20 7. Possible elements of risk management guidance or a prudential standard | PHIAC
2. Board and senior executive leadership
Requirement Benefits Demonstrated by
2.1 The Board is responsible for
managing strategic risk.
Leverage off the skills and
experience of board
members. Set an
appropriate tone at the top
regarding the application of
risk management.
Strategic risks identified and
approved by the board including
an agreed understanding of the
controls/response to these risks.
The risk appetite is approved by
the board.
2.2 The Board is to get regular,
credible information from
management about identified
risks, the operation of
controls and the compliance
with internal policies and
laws.
The Board can focus on
strategic issues, risks and
controls in the knowledge
that operations are under
control and that information
about operations is timely,
accurate and reliable.
Risk reports provided on a
regular basis to the board that
reflect the design and application
of the ERM framework.
2.3 Risk management
information is taken into
account when important
decisions are being taken.
Decision-makers have more
information to inform
decisions.
Key or strategic decisions taken
by the board or senior
management are documented
and include information about
the risks to success, the
effectiveness and costs of
control and the likely
consequences (positive and
negative) of the decision.
2.4 Every five years the ERM
framework should be subject
to external review.
Provides assurance to the
board and other
stakeholders that the
insurer’s ERM framework is
operating effectively and
maximises the application of
risk management within the
organisation.
A report from the review of the
ERM framework to the board.
21 7. Possible elements of risk management guidance or a prudential standard | PHIAC
3. Capturing, storing, analysing and utilising risk management information
Requirement Benefits Demonstrated by
3.1 The ERM framework is to
ensure that information about
risk moves effectively from
operational to strategic areas
of the business and vice
versa.
The operational areas of the
insurer have a mechanism to
escalate concerns about risk
levels or the effectiveness of
control activities.
An ERM framework that
identifies relationships between
risks and objectives across the
organisation. Risk reports
contain information sourced from
the operational area.
3.2 The risk register is
maintained and updated
regularly.
Risk information can be
properly captured, analysed
and reported.
A risk management software
program and evidence that
relative risk levels are regularly
reviewed by the Board, analysed
and properly understood by staff.
3.3 The ERM framework
establishes categories of risk
that reflects an insurer’s key
business and operational
objectives.
Enables the understanding
of how to manage risk within
the business environment of
the insurer. Links the
objectives of the insurer to
its risk management
processes.
Clear alignment between the
ERM framework and the
organisational structure of the
insurer.
Use of the categories of risk in
the structure of the risk register.
3.4 The Board and senior
executives and managers
receive effective and timely
information on the status of
risks and controls from all
areas of the organisation.
Effective assurance of
business control is provided
to accountable officers.
Early warning of issues
enabling preventative action
to be initiated.
The frequency and quality of risk
reports provided to the board
and senior management.
3.5 The internal audit program
should be risk based drawing
on information from the risk
register.
The internal audit program
targets areas of greatest risk
and consequence as well as
key controls.
The alignment of the internal
audit program to the ERM
framework and information from
the risk register.
22 7. Possible elements of risk management guidance or a prudential standard | PHIAC
4. Obtaining and maintaining staff commitment to risk management
Requirement Benefits Demonstrated by
4.1 Board and senior
management are committed
to effective risk management
and set the tone for the rest
of the organisation.
Embeds risk management
into organisational culture.
Board endorsed risk
management policy and the use
of risk management information
in reporting and decision making.
4.2 At all levels, staff see a risk
management policy that:
commits the insurer to applying
risk management;
sets risk management
objectives;
establishes risk management
governance arrangements;
defines the risk management
processes to be applied
including the engagement of
stakeholders;
outlines the insurer’s approach
to risk tolerance, risk escalation
and risk reporting; and
mandates risk management
roles and responsibilities across
the insurer.
Demonstrates the insurer’s
commitment to risk
management and works to
obtain staff commitment to
its application.
The existence of a risk
management policy with the
requisite components.
4.3 Risk management processes
are adaptable to the context
in which they are being
applied.
Enables staff flexibility in the
use of risk management
processes to meet their
needs. Engenders
commitment.
Risk assessments are
appropriately adapted to their
purpose and are regularly
reviewed and updated.
4.4 All significant risks of an
insurer have a responsible
officer or risk owner.
Ensures risks are managed
and reported.
Documents listing risk owners of
all high level risks. Position
statements and/or performance
agreements with clear risk
management responsibilities.
4.5 Staff understand the
connection between their
conduct and risk in the
management of the
organisation.
Integrates staff behaviour
into the overall control
framework of the insurer.
Risk management responsibility
statements in performance
agreements. Involvement of staff
in risk assessment workshops.
23 7. Possible elements of risk management guidance or a prudential standard | PHIAC
5. Risk management skills and knowledge
Requirement Benefits Demonstrated by
5.1 Board, senior executives and
employees are provided with
risk management training and
ongoing support.
More effective application of
risk management processes
including analysis of risk and
design of controls.
Risk management training
programs.
Facilitated risk management
workshops. Specialist risk
management function. Quality of
risk management reports.
5.2 Risks are described in a way
that supports the application
of risk management
processes.
A common understanding of
risks. Enables a detailed
analysis of risk resulting in
more effective design of
controls.
Listing of high level risks. Risk
reports detailing analysis and
control development processes.
5.3 Insurers have access to a
specialist risk management
capability.
Supports consistent and
ongoing application of risk
management.
The existence of a risk
management function or role
within the organisational
structure.
24 8. Assessment of options | PHIAC
8. Assessment of options
PHIAC seeks feedback on the options presented in this discussion paper from industry, consumers
and other interested stakeholders. To assist PHIAC’s analysis of the options, submissions should
evaluate the relative merits of each of the three (3) options, and, where practicable, the costs
associated with the potential implementation and ongoing compliance of each proposal.
Following receipt of submissions, PHIAC will analyse the options to improve the effectiveness of risk
management in the private health insurance industry. This analysis will consider all views of the
options presented in this discussion paper, in terms of:
potential to achieve the desired outcome;
cost of implementation to industry and consumers; and
ongoing compliance requirements.
The assessment of options will be largely influenced by the feedback, comments and submissions
received.
25 9. Invitation to Comment | PHIAC
9. Invitation to Comment
This discussion paper outlines options for improving the effectiveness of risk management
arrangements in private health insurers. PHIAC invites submissions on any element of the paper but
is specifically interested in stakeholder views on the abovementioned three (3) options for
improvement, and the extent to which each option will potentially:
achieve the required improvements in risk management;
impose unnecessary or unjustified costs on insurers; and / or
impose excessive compliance obligations on insurers.
All information (including name and address details) relating to a submission may be made publicly
available via PHIAC’s website, and may be referenced in future PHIAC papers and reports. If you
prefer that some, or all, of your submission remains in confidence, you should state this in your
submission and the confidential material should be clearly identified and included in a separate
attachment. You should carefully consider the information contained in your submission as the
confidentiality of your response might be affected by legal requirements such as the Freedom of
Information Act 1982.
PHIAC invites submissions and requires that they be received on or before COB Friday, 15 March
2012. Submissions can be emailed to [email protected] or sent to:
General Manager, Industry Operations
Private Health Insurance Administration Council
PO Box 4549
KINGSTON 2604
26 10. Next steps | PHIAC
10. Next steps
The next steps in the review of risk management arrangements in insurers include:
Date: 2013 Action
21 January Discussion Paper issued for a 8 week consultation period
15 March Discussion Paper submissions due
March/April PHIAC consideration of feedback, comments and submissions
May Second Discussion Paper issued for another 8 week consultation period
June/July Second Discussion Paper submissions due
July/August PHIAC consideration of feedback, comments and submissions
2nd half 2013 Adoption of preferred option
27 11. Abbreviations used in this paper | PHIAC
11. Abbreviations used in this paper
ACCC Australian Competition and Consumer Commission
APRA Australian Prudential Regulation Authority
ASIC Australian Securities and Investments Commission
ASX Australian Securities Exchange
Board The board of directors of a private health insurer
COB Close of business (usually 1700hrs)
ERM Enterprise Risk Management Framework
FOI Act Freedom of Information Act 1982
Fund The health benefits fund or funds of an insurer registered under the Private
Health Insurance Act 2007
IAIS International Association of Insurance Supervisors
ICP Insurance Core Principles issued by the IAIS
Insurer A private health insurer registered under the Private Health Insurance Act
2007
ISO International Organisation for Standardisation
PHIAC The Private Health Insurance Administration Council
PHI Act The Private Health Insurance Act 2007
28 12. Relevant legislative extracts | PHIAC
12. Relevant legislative extracts
Extracts from the Private Health Insurance Act 2007
Section 163-1 Private Health Insurance (Insurer Obligations) Rules to establish prudential standards
(1) The Private Health Insurance (Insurer Obligations) Rules may establish prudential standards
(2) Prudential matters are matters relating to:
(a) the conduct by private health insurers of any of their affairs in such a way as:
(i) to keep themselves in a sound financial position; or
(ii) not to cause or promote instability in the Australian private health insurance
system; or
(b) the conduct by private health insurers of any of their affairs with integrity, prudence
and professional skill;
but does not include matters relating to the solvency or capital adequacy of health benefits
funds.
(3) A *prudential standard may impose different requirements to be complied with:
(a) by different classes of private health insurers; or
(b) in different situations; or
(c) in respect of different activities.
(4) A *prudential standard may provide for the Council to exercise powers and discretions under
the standard, including but not limited to discretions to approve, impose, adjust or exclude
specific prudential requirements in relation to a particular private health insurer or a particular
class of private health insurers.
(5) A *prudential standard takes effect on the day on which it is established in the Private Health
Insurance (Insurer Obligations) Rules, or on such later day as is specified in the Private
Health Insurance (Insurer Obligations) Rules.
29 12. Relevant legislative extracts | PHIAC
*Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations)
Rules.
Section 264-10 Functions of the Council
General
(1) The functions of the Council are:
(a) to administer the Risk Equalisation Trust Fund; and
(b) to administer the registration of private health insurers under Part 4-3; and
(c) the information collection function under subsection (2); and
(d) the compliance functions under subsection (3); and
(e) the enforcement functions under subsection (4); and
(f) the public information functions under subsection (5); and
(g) the agency cooperation functions under subsection (6); and
(h) to advise the Minister about the financial operations and affairs of private health
insurers; and
(i) functions incidental to any other functions of the Council; and
(j) any other functions conferred on the Council by this, or any other, Act.
Information collection function
(2) The information collection function of the Council is to obtain from each private health insurer
regular reports about the insurer’s operations, including reports supported by actuarial
certification.
Compliance functions
(3) The compliance functions of the Council are:
(a) to establish a *solvency standard and a *capital adequacy standard to be complied
with by private health insurers, and to give solvency directions and capital adequacy
directions to private health insurers; and
30 12. Relevant legislative extracts | PHIAC
*Note: The solvency standard and the capital adequacy standard are established by the Private
Health Insurance (Health Benefits Administration) Rules.
(b) to exercise powers and discretions under the *prudential standards, and to give
directions to private health insurers relating to compliance with the prudential
standards; and
*Note: The prudential standards are established by the Private Health Insurance (Insurer Obligations)
Rules.
(c) to consider, in accordance with Division 160, whether persons should, or should not,
be appointed actuaries; and
(d) to consider, in accordance with Division 166, whether persons should, or should not,
be disqualified persons; and
(e) to examine, from time to time, the financial affairs of private health insurers, by the
inspection and analysis of the records, books and accounts of the insurers and any
other relevant information; and
(f) to review, by carrying out independent actuarial assessment, the value of the assets
and liabilities of each health benefits fund; and
(g) if it is necessary, for the purpose of making a proper examination of the financial
affairs of a private health insurer, for the Council to incur unusually high costs—to
impose an appropriate fee on the private health insurer concerned.
Enforcement functions
(4) The enforcement functions of the Council are:
(a) to take action under Part 5-2 to monitor compliance with, and to encourage or compel
compliance with, Council-supervised obligations; and
(b) to appoint, under section 214-1, inspectors for the purpose of investigating the affairs
of private health insurers under Division 214, and to exercise other related powers
and functions of the Council under that Division; and
(c) to appoint, under Subdivision 217-B, persons as external managers of health benefits
funds, and to exercise other related powers and functions of the Council under
Division 217 and 220
31 12. Relevant legislative extracts | PHIAC
Public information functions
(5) The public information functions of the Council are:
(a) to make statistics, and other financial information, relating to a private health insurer
or private health insurers, publicly available in accordance with the Private Health
Insurance (Council) Rules; and
(b) to collect and disseminate information about private health insurance, for the purpose
of enabling people to make informed choices about private health insurance.
Agency cooperation functions
(6) The agency cooperation functions of the Council are:
(a) to cooperate with other regulatory agencies on matters affecting private health
insurers and the private health insurance industry generally; and
(b) to provide the Private Health Insurance Ombudsman, from time to time, with
information in the Council’s possession that the Council considers likely to be of use
in production of the State of the Health Funds Reports referred to in paragraph
238-5(c).