Data management software company Cluster Seven has urged insurers to ensure they are accounting for spreadsheet risk in their implementation plans for Solvency II.  The firm has issued a guide for insurers highlighting how to manage spreadsheet risk and what to look out for when implementing the European directive.  According to a research by Deloitte, 70% of companies rely on spreadsheets to support their business-critical financial reporting.  The focus of software providers like Cluster Seven has been to attempt to control versioning, security, auditing, disaster recovery and highlight potential misuse and erroneous updates of spreadsheets as if they were central applications under the normal control of IT.  This however only solves part of the problem.

The Solvency II regime requires data to be accurate, complete and transparent.  The fact data is being extracted from different data sources and manipulated within spreadsheets prior to being passed to the internal capital model raises cause for concern.  Further, how is one able to demonstrate, for example, the data used by the claims management departments is consistent with that used within the internal model when claims data is ‘processed’ through spreadsheets prior to feeding the internal model?  Unless the manipulation is fully understood across the business, validated, approved and audited then Solvency II compliance will not be achieved.

 

I recently sat on a panel discussion centred around a short set of topics that form a locus of interest of the requirements of Solvency II, particularly of Pillar2, and mainly on Operational Risk.  These topics were: Governance; Reserves; Data currency; Security; Process control and auditability and management of external services.  In previous posts of this blog, I gave my views on several of the topics and I conclude my report here:
 
5.     How can the claims director ensure that all incidents of data handling and exposure of details during the claims process are controlled and auditable to prevent any breach of privacy or data protection laws, limiting exposure to mis-processing resulting in litigation and reputational risk?

I think this is essentially the same answer as I have given before and that is the claims handling process should be automated. What systems are really good at is enforcing rules and providing workflow; people can’t circumvent like they can in manual processes or forget to do things or check things. Absolute automation is naïve but there are many pragmatic steps that can be put in place. The other thing systems are really good at is logging who did what and when. This provides an audit trail that is very difficult to achieve in a manual system.

In a lot of cases data is not up to date or even complete due to pressures on human resources. Solvency 2 will demand that data is complete, accurate and appropriate. Clearly claims data will be a vital dimension in the internal capital model and as such it will be subject to the regulators attention.

Data security is more easily managed in an application than with manual processes. Documents by their nature are uncontrolled. You do not know who has them, they can be copied, lost, stolen etc.
Just having data or documents in a central repository reduces the risk of working with out of date data or documents.

 

Part 3 to follow on 31 May 2011...

I recently sat on a panel discussion centred around a short set of topics that form a locus of interest of the requirements of Solvency II, particularly of Pillar2, and mainly on Operational Risk.  These topics were: Governance; Reserves; Data currency; Security; Process control and auditability and management of external services.

I thought I would blog my answers as these seemed to be well received by other panel members and the audience.

1.    Within the claims process how do you ensure strict governance is observed
As a person who sees technology as a solution to business problems, I believe the best way of ensuring consistency and repeatability and ensuring that the company’s principles are carried out objectively rather than subjectively is by use of technology. A rule based application built around pre-defined processes that the company has already decided is best practice, supported by workflow that can automatically segment, route and control the process of the claim dependent on criteria that is driven by the complexity or severity of the claim, will bring this discipline.

There is also a deployment factor too. If that application can be deployed not just within the organisation but to external parties such as TPAs or expert advisers too, then the company has the added advantage of knowing that its service providers are also processing claims in the same consistent way.