In an earlier post, I looked at the first of two problems I often encounter when reviewing how insurance firms manage their conflicts of interest risk. That was a scope inappropriate for the business model, something that undermines the firm’s management of this ethical risk almost before it gets started. The second problem occurs much later on in that process, just when directors think that their firm’s management of conflicts of interest is ‘all done and dusted’.
The issue is referred to as ‘gross and net’ risk. Let’s assume that you can put a tick against setting your scope, identifying all the risks, prioritising them, establishing levels of improvement and having a variety of mitigation measures. These are all important steps in any risk assessment process and a firm needs to be confident that each has been addressed appropriately. Job done? Not if you look at many of the big fines handed out to UK insurance firms over the past five years.
Consider the huge fines handed out to Aon, Willis, JLT and Besso by the UK regulator. OK, so all involved anti-bribery risks, but let’s put that aside for this post: the issues are the same for conflicts of interest. The lesson those firms had to learn was that policies, procedures and controls look very nice on paper, but are completely irrelevant if left unused. In fact, they can be dangerous, if left to create a false sense of security. The boards overseeing those firms had assumed that they were looking at net risk, when in fact they were being exposed (very expensively, as it turned out) to something pretty close to gross risk. They were being reassured that the forward looking measures were in place, but left in the dark about the back risk of no one subsequently paying any attention to them.
Gross and net risk is effectively a measure of the extent to which your firm is relying on its control measures. All too often, firms put a great deal of faith in their control processes, but forget that it’s people that determine their effectiveness. Assuming all is ‘working as you want it to work’ is something I often find over relied upon. So how can you address this problem?
Like other ethical issues, you can assess the risks from conflicts of interest in terms of likelihood and impact. Gross and net risk can be applied to both likelihood and impact, but because impact is often determined more by factors external to the firm, it is more useful when considering likelihood. So if for a particular type of conflict of interest, you gauge the likelihood of the gross risk to be 8 out of 10, and the net risk after various controls to be 3, then you have a spread of 5.
Repeat this across your priority conflicts of interest and seek to identify common contributors to those gross-net spreads: for example, lack of training or the wrong ‘tone from the top’. A force-field analysis can provide a useful framework for organising this.
Then work out the overall affect on that accumulated gross-net spread if one of those common controls proving ineffective. Is your revised net risk still without your firm’s risk tolerance? Has poor training had that much of an influence, compared to, say, your senior executives failing to deliver the right ‘tone from the top’? What are the most important warning signs to look out for?
A false sense of security has undermined the ethical credibility of many an insurance firm. This sort of analysis helps to address that. It may be something you’re not used to, but then neither should a regulatory fine be.
