InsurTech Risk Management


Digitisation in the insurance industry is accelerating; there is a demand for innovative technologies to meet the ever-evolving demands of customers. Millennials, for example, are an increasingly important customer segment that expects the option to use mobile applications to manage their assets and insurance products. This trend will likely continue with as other Digital Natives like Generation Z begin to enter the workforce. Stepping back from customer groups, more generally there has been increased demand from all customers for greater convenience in product delivery as well as tailored products and premiums. In response, there has been an explosion in insurance technology (“InsurTech”) companies to meet this growing need for personalised, digital, and convenient insurance products.

To govern the growth of InsurTech, regulators around the world have taken different approaches to regulate the insurance industry. In Hong Kong, the Insurance Authority ("IA") published the Guideline on Enterprise Risk Management ("Guideline") on 5 July 2019 that came into force from 1 January 2020. The Guideline provides supervisory objectives, guidance, and expectations of the IA on Enterprise Risk Management ("ERM") framework and Own Risk Solvency Assessment ("ORSA").

The IA expects that all companies offering insurance products, be they large incumbent firms or smaller InsurTech start-ups, to properly comply with regulatory requirements. For new InsurTech firms, we see the following as possible challenges in managing their compliance requirements:

  • Risk-based Capital ("RBC") Regime;
  • Stress and Scenario Testing; and,
  • ORSA.

This article will explore these challenges and how InsurTech firms can ensure they have robust compliance. 


RBC Regime

The RBC regime for Hong Kong's insurance industry comprises three key components, commonly known as the "Three Pillars", where

  • Pillar 1 covers the regulatory capital rules and requirements;
  • Pillar 2 covers corporate governance and ERM; and,
  • Pillar 3 covers reporting and disclosure requirements.

Under the regime, insurers are required to maintain a sufficient amount of capital for their risk exposures ("Target Capital"), e.g. insurance risk, credit risk. To determine the amount of capital required, insurers must develop models to quantify the Target Capital for different risk exposures.

Developing models for the quantification of Target Capital involves collecting an extensive amount of data, which therefore requires significant data resources (i.e. a large dataset). InsurTech companies that are growing their customer bases may face difficulties in extracting sufficient data in order to build a comprehensive Target Capital model or to be able to validate the model’s accuracy and robustness. Similarly, there may not be sufficient analysis available on the risk characteristics or behaviour patterns of new customer groups (e.g. millennials or customers that have been underserved by traditional insurance companies). An InsurTech’s risk appetite framework and business plans might not be developed enough to support the quantification of the Target Capital. Therefore, customised data solutions are in demand from InsurTech companies to develop a strategic model for capital management. 


Stress and Scenario Testing

According to the Guideline, insurers must conduct stress and scenario testing based on material risks to assess their risk profile and thus the relative movements in capital resources and capital requirements based on assumed adverse movements in key risk factors. The adopted stressed conditions and scenarios should consider multiple adverse events for the insured as well as the macroeconomic factors that may pose an impact on the insurers. In practice, insurers undertake the following steps in stress and scenario testing:

  • Define the scope of stress and scenario testing;
  • Develop the scenarios, including the stress scenarios for testing;
  • Consolidate data used for the testing;
  • Estimate the risk and capital status under normal situation;
  • Estimate the risk and capital status under normal situation;
  • Report the testing result to the Board and Senior Management; and,
  • Incorporate the testing result into business operations.

As mentioned previously, new InsurTech companies face challenges in data resources and customer analysis. These challenges also pose difficulties for companies when they are developing the modelling approaches on stress and scenario testing. Without sufficient historical data or analysis on customer behaviour, InsurTech firms find it difficult to estimate the relationship between the scenario settings and the major risk exposure of the companies, i.e. how the scenarios will affect the capital or profit of the companies. It raises concerns about the explanatory power of stress and scenario testing.


Own Risk Solvency Assessment

The Guideline sets out the minimum requirements for the ORSA Report. Insurers should regularly perform an ORSA to assess their risk profile, the adequacy of their risk management, and also their current, and likely future, solvency, and liquidity positions. The first ORSA report must be submitted before June 2021. Generally, the ORSA report should cover the following elements:

  • Risk management governance framework and mechanism;
  • Risk appetite framework;
  • Risk identification and risk monitoring mechanism;
  • Stress and scenario testing;
  • Capital quantification;
  • Adequacy of financial resources; and,
  • Recovery plan.

For new InsurTech companies, resources in terms of manpower and infrastructure may be allocated to develop profit-generating insurance products and solutions (e.g. artificial intelligence, blockchain), leaving less talent capacity for regulatory reporting. InsurTech firms may still be designing a robust process for ORSA report preparation or developing a comprehensive ORSA reporting template. The ORSA report preparer may need extra time to identify personnel who are responsible for providing the data, to aggregate the data, and to consolidate the information into the report. All of this combined could affect the effectiveness of the ORSA reporting submission. As well, there may not be automated controls and reconciliations to ensure the accuracy of the ORSA reporting. Therefore, many InsurTech companies are looking for solutions to prepare the ORSA reporting in an effective way and develop mechanisms to enhance its accuracy.


How Deloitte can help

Our expertise and experience in working with the insurance industry allow us to support clients with a broad range of services that are tailored to their specific needs, including:

  • Model development or validation for RBC regime;
  • Setup or enhancement of the stress testing framework;
  • Preparation or review on the ORSA reporting template;
  • Automation of ORSA reporting;
  • Design and implementation of risk appetite and risk management framework; and,
  • Development and review of continuity analysis and business failure analysis.

With the knowledge and insights in the insurance industry, Deloitte can leverage key learnings from previous experience and provide insights on benchmarking across industries to deliver a tailor-made solution. We can help clients chart a path that is most suited to their organisation's specific needs.

Did you find this useful?