Mike Dalzell, Head of Group Assurance, Pro; Joe Perdoni, Head of Prudential Regulation at the Gibraltar Financial Services Commission (GFSC); Kathryn Morgan, NED, Marshmallow & Soteria Insurance; and David Woodfine, Managing Director, Cyber Security Associates, shared their thoughts on regulation and compliance in relation to the GFSC and Financial Conduct Authority (FCA) supervision strategy, and how audits can help when approaching the key drivers for harm
Against the backdrop of economic uncertainty, Brexit and the pandemic, the insurance sector is facing intense scrutiny from central banks and regulators; the focus being financial and operational resilience.
In the UK, the FCA has set out three key areas of risk; these are ineffective governance and oversight, culture and non-financial misconduct, and ineffective insurance distribution chains. A similar emphasis on operational resilience is reflected in Gibraltar, where the focus is on business plans, capital, company group governance, and conduct risk.
At the outset of the discussion, Joe Perdoni highlighted the outcome that the GFSC is focused on. “The outcome we want to achieve is the authorisation and supervision of well run, appropriately governed, sufficiently capitalised and sustainable insurance businesses that possess consumer centric attitudes, ensure customers are treated fairly & deliver good outcomes for these customers.”
Mike Dalzell echoed this. “If the last few years have taught us anything, it’s that the FCA has rightly set high expectations of how insurance firms should be mitigating these risks. And with moves towards tougher regulations in these areas, companies will need to ensure they have robust processes in place or face possible investigations and enforcement.”
Kathryn Morgan highlighted the need for operational resilience to be a boardroom topic. “Without measurement, you simply won’t know what is going on at a business. There is a strong case for continuous learning and improvement across all aspects of a business, including outsourcing arrangements, and fostering a culture of regularly checking against priorities and using failure / missed targets as an opportunity to learn is critical to modern businesses.”
The panellists also noted that regulators were increasingly drawing cyber security into the operational resilience framework. Regulators want to understand how a firm is organised to look at cyber risks and what mitigants they have in place. David Woodfine highlighted that cyber security is too often regarded as an IT problem, when it should be an integral part of a firm’s operational resilience strategy.
“A lot of companies just expect technology, like firewalls, to solve cyber problems, when in fact, people are the first line of defence,” David said. “They are the ones who receive the phishing emails, so you need to look at how you are preventing and preparing for these attacks. This should be a priority, and regulators are rightly increasing the focus on the area of cyber security.”
Not just box ticking
Developing a robust risk framework – and therefore a strong operational resilience – is all about good governance; and to achieve this the panellists were clear that there is a need for regular, independent audits that are performed with a mindset of extracting value and learning, rather than performing a box ticking exercise. Audits highlight inefficiencies and mitigate risks, but their success depends entirely on whether companies actually follow up on recommendations – and put right what is wrong.
“Internal audits are a valuable tool and keep people on their toes,” Joe said. “Audits can identify inefficiencies, and if you have a fluid audit plan, it will allow you to add in any new risks that are identified. From a regulatory perspective, this is something we expect to see.
Audits are vital in highlighting risks; however, there tends to be a reluctance by firms to carry them out, and as a result, few realise their full potential.
“Audits aren’t a punishment,” Kathryn said. “It’s about holding up a mirror so you can see what works well and what doesn’t – and then fixing those areas. Many regulatory requirements are common sense, but you need to be able to demonstrate that you know what you are talking about.”
Dave agreed, “Cyber risk is an ever present, ever changing risk to firms – and no-one can consider themselves immune. To my mind, independent cyber security audits should be conducted more regularly than standard financial / strategic audits due to the evolving nature of the threat, and the potential serious repercussions of a successful attack from a business and regulatory perspective.”
Understanding and implementing
This level of insight is key. As Joe pointed out, a successful audit isn’t just about a review of your operations, it’s about understanding what the issues are, planning what you are going to do; and then implementing it.
“From a regulatory perspective, if we see that firms are looking at ways of addressing any issues, it gives us comfort that they are trying to do the right thing – as opposed to just sticking their heads in the sand and hoping it never happens,” Joe said.
As the panel agreed, an element of ‘hope’ just isn’t enough when it comes to mitigating risks; which is why audits are so important. But getting real value from your audit comes down to company culture and attitude.
An unnecessary evil?
During the Q&A session, the panellists were asked whether audits were an unnecessary evil.
Kathryn said, “Yes it is an unnecessary evil if it isn’t done properly – businesses can waste a lot of time and money just ticking boxes, not thinking about the value they could be extracting from the process. So if you do that then it is an unnecessary evil but if you do it properly then it’s brilliant.”
Joe’s response summed up the view of the panel and provided an inspiring closing thought, “I was going to flip it around and actually say it’s a necessary benefit – audits are the key to evidencing operational resilience, enabling continuous improvement.”