Future of legal risk management: lessons from the insurance industry

Substantial cultural, operational and financial changes are taking place among the insurance and reinsurance risk-carriers of the EU. These changes result from preparations for the implementation of the Solvency II Directive (the Directive), currently due to take effect in 2012.

The Directive requires the establishment and operation of risk management processes to make risk-carriers more robust or resilient in the face of adverse developments. These processes, which are commonly described on a collective basis as ‘Solvency II’, comprise the Directive and a range of national and industry or market-specific legislation, regulations and guidance.

Solvency II affects all aspects of risk-carriers’ operations, but has particular importance for the compliance and legal functions. Changes in the roles and significance for these functions could become important for the management of risk in the wider economy.

Where economic entities – commercial or governmental – are significant buyers of insurance as a risk management resource, they may find that their insurers expect them to adopt some or all of the risk management techniques and attributes that the insurers have acquired. Insurance purchasers may also find that their insurance intermediaries or brokers are able to offer them risk management services to align the purchasers’ risk management cultures or methodologies with those of their insurers.

Solvency II and understanding risk

One of the aims of Solvency II is to make risk management – in particular through the allocation of capital resources against risk – less reactive and more pre-emptive. Emphasis is placed on understanding the nature and effects of the full range of risks facing an insurer or reinsurer. This is, in part, a question of categorising each such risk. For example, Article 101 of the Directive refers expressly to various categories of risk, which are defined in Article 13:

  • Underwriting risk: the risk of loss or of adverse change in the value of insurance liabilities, due to inadequate pricing and provisioning assumptions.
  • Credit risk: adverse change in the financial situation, resulting from fluctuations in the credit standing of issuers of securities, counterparties, and any debtors to which insurance and reinsurance undertakings are exposed, in the form of counterparty default risk, or spread risk, or market risk concentrations.
  • Market risk: adverse change in the financial situation resulting, directly or indirectly, from fluctuations in the level and in the volatility of market prices of assets, liabilities and financial instruments.
  • Operational risk: inadequate or failed internal processes, personnel or systems, or from external events.

Operational risk is arguably the widest, yet most essential, category of risk that requires management. Any economic entity will inevitably have operational functions, and, one way or another, interact with external entities and events. In an ideal world, where an entity has fully understood all means by which it so functions and interacts, then its internally and externally oriented processes, systems and controls will be adequate. Of course, the reality can be materially different from this ideal, and the interaction of an entity with ‘the outside world’ involves a huge and complex matrix of causes and effects.

Nevertheless, it is possible to analyse and evaluate such interaction in some detail, and the Directive seeks to make this possible. Article 101 gives some explanation of what is meant by ‘operational risks’, which the article states:

  • includes ‘legal risks’ – this term is not defined, but is broadly understood (see, for example, the ‘Solvency II Glossary’, produced by the Comité Européen des Assurances and the Groupe Consultatif Actuariel Européen, pan-European trade bodies for risk-carriers and actuaries) to mean the risk that legal proceedings do not have the outcome expected or hoped for; but
  • excludes (i) ‘strategic decisions’ – which result in ‘strategic risk’, being in broad terms where business plans are out of step with the realities of the business environment; and (ii) ‘reputation risk’ – being in broad terms a loss of confidence in a business as a result of adverse publicity (see the Solvency II Glossary).

No less important is the appreciation that risks, and the factors giving rise to risk, are not fixed and immutable in their types, number and nature, but can change. Especially important is the ability to identify and manage ‘emerging risk’. This category of risk is mentioned in Article 41 in relation to the effectiveness of governance and management systems within risk-carriers, and in broad terms means matters that can threaten the quality or viability of operations, even if those matters are not fully formed or understood.

significance of Solvency II for the legal function

Because of the requirement to calculate and report on particular amounts of capital for allocation against certain risks, much of the Directive relates to the architecture of actuarial and insurance supervisory functions. However, Article 46 of the Directive includes the following requirement in relation to the management of legal risk:

‘Insurance and reinsurance undertakings shall have in place an effective internal control system. That system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking, and a compliance function.

The compliance function shall include advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.’ [Emphasis added.]

In relation to Solvency II, ‘compliance risk’ has been defined by one of the key bodies charged with giving effect to the Directive, the Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS) as:

‘The risk of legal or regulatory sanctions, material financial loss, or loss of reputation an undertaking may suffer as a result of its failure to comply with laws, regulations and administrative provisions.’

(See CEIOPS’ July 2007 issues paper ‘Risk Management and Other Corporate Issues’).

Of course, the ‘legal environment’ comprises various types and a huge number of sources of legal obligation and risk, including primary and secondary legislation, and case law on contractual, equitable and tortious issues. However, given this briefing’s general theme of explaining how the insurance market could come to take the lead in risk management methodologies, it will focus on contractually based relationships, as these are the essential means of interaction within the insurance market.

implications of compliance risk

CEIOPS’ definition of compliance risk appears to make it a type of operational risk, since a failure of compliance will often equate to a failure of an operational process to observe legal or regulatory requirements. Moreover, the practical reality is that operational failings, especially where such failings can be traced to a failure of management or governance, can give rise to a matrix of financial loss, litigation liabilities (or at least legal costs) and regulatory sanctions. In other words, a failure to manage any risk can equate to a failure to manage compliance risk.

Even if the technical terminology of the Directive were ignored, the fact remains that risk management should be addressed holistically, in that risk management failure can result in adverse consequences for the entirety of a business and its brand. On a broad basis, this can be seen in the position of various actors and forces at play with regard to ‘payment protection insurance’ (PPI).

The Financial Services Authority (FSA) has been active (some might even say aggressive) in applying regulatory techniques – such as supervisory reviews, industry-wide announcements and enforcement notices – to address the failings it has perceived in relation to product design, marketing, sales, claims handling and complaint handling by intermediaries and insurers in relation to PPI.

In some instances these failings have involved a failure to comply with technical rules on the conduct of business, such as the provision of information to consumers (see, for instance, the final notice dated 20 December 2006 against Redcats (Brands) Ltd). In other cases, there have been broader failures to manage appropriately the activities of employees (see the final notice dated 6 October 2008 against Alliance & Leicester plc).

In the case of Swinton Group Ltd, its failings in relation to PPI sales were such that the FSA fined it £770,000, required it to pay compensation or refunds to customers, and obtained Swinton’s agreement to cease trading in the PPI market (see the final notice dated 28 October 2009).

This regulatory strategy has coincided with (some might say resulted in) a huge increase in disputes relating to the duties of PPI intermediaries and insurers. Mostly these disputes have resulted in referrals to the Financial Ombudsman Service (FOS), but several court actions have also arisen (see for example Yates v Nemo Personal Finance Ltd (2010)).

The fact that there is a causal relationship between regulatory sanction and litigation is often recognised in liability (such as professional indemnity) insurance policies. These policies often seek to exclude liability on the insurer’s part for costs or loss in respect of public (criminal or regulatory) proceedings and/or fines, unless those proceedings and/or fines give rise to private litigation.

For many industries the general trend is towards increased frequency and severity of regulatory sanction – as the FSA puts it, ‘credible deterrence’. In terms of litigation trends, it is notable that many disputes relating to PPI have been handled or encouraged on a ‘bulk’ or ‘mass’ basis by claims management companies and ‘no win, no fee’ law firms. At present, the frequency and severity of legal awards in the UK in favour of consumers and small businesses against ‘big business’ is substantially lower than is famously the case in the US, but there are signs that a more aggressive ‘compensation culture’ could arise, involving more aggressive practices and drawing on a stringent regulatory culture.

Examples of the origins and consequences of legal and compliance risk

Judicial, FSA and FOS findings as to issues involving insurance intermediaries and risk-carriers can present a salutary lesson for any entity that relies on contractual terms to establish its legal rights and obligations.

A key feature of the insurance market is the use of delegated authority agreements (sometimes known as ‘binders’). The general aim of binders is to manage the basis on which the broker acts, in certain circumstances, as agent for the insurer – for instance, in relation to the distribution of insurance policies. Discussions as to the meaning and effect of binders and policies can often involve arguments over whether particular clauses have pre-determined meanings by reason of so-called ‘market practice’ (see, for instance, Temple Legal Protection Ltd v QBE Insurance (Europe) Ltd [2008]).

Of course, the precise terms and effect of any contract can, under English law, only be ascertained by application of the principles of contract construction. These principles give rise to an assessment, not only of the contract itself, but also:

  • analysis of further written documents and oral communications (potentially before and after the contract’s conclusion); and
  • a wider assessment of the ‘relevant background’ (see Investors Compensation Scheme v West Bromwich Building Society [1998]).

Principles of construction allow a breadth and flexibility of analysis, which can produce arguments and outcomes that may not have been envisaged on the conclusion of a contract. Moreover, English law requires that the contract is construed ‘as a whole’ (see Chartbrook Ltd v Persimmon Homes Ltd & ors [2009]). The upshot of this, in short, is that the apparent terms of individual clauses may be interpreted so as to give effect to broader purposes.

If an entity does not comprehend its contractual rights and obligations in accordance with the appropriate canons of construction, then it may find that it has taken on obligations and risks of which it was not aware. This gives rise to an inherent ‘compliance risk’, in that there is a ‘risk of legal or regulatory sanctions, material financial loss, or loss of reputation’.

Moreover, if the risks raised by contracts are not fully understood, then a firm will not be in a position to allocate appropriate resources to manage the risks. In relation to the insurance market, this could, for example, result:

  • for an insurer, in under-reserving (ie not allocating sufficient capital to a particular insured account);
  • for intermediaries or insureds, in insufficient capital or professional indemnity cover; and
  • in the case of insurers, intermediaries and other firms regulated pursuant to s166 of the Financial Services & Markets Act 2000, in the FSA initiating investigations into risk management systems and controls, including a section 166 ‘skilled persons’ report, which entails a firm being required to pay for a third-party professional to report to the FSA – this can be an expensive and disruptive process.

Managing current and prospective legal and compliance risks

Obviously, a business that is not an insurance or reinsurance risk-carrier does not need to adopt the terminology of Solvency II. Nevertheless, given the huge amount of effort that continues to go into the development of Solvency II from regulators, trade bodies and risk carriers across Europe, the methodologies of Solvency II – especially in relation to the inculcation of a comprehensive language and holistic culture for risk management – could benefit many other entities.

As stated above, the ‘legal environment’ comprises issues arising out of legislation and case law on contractual, equitable and tortious points. To address this risk fully requires active and pre-emptive input from within and without a business, especially via the compliance and legal functions.