Let’s start with a simple question: as a business leader, what keeps you up at night?
One would probably answer that question with a variety of responses, all of which can be classified as risks. Businesses face risks every day from many different channels: sales risk, credit risk, investment risk, etc. The list is endless and can be daunting. Effective risk management strategies will help manage these risks, and you’ll sleep better at night, too.
Here at Beacon, we are not immune to many of the same risks. In response, we maintain a robust and evolving Enterprise Risk Management (ERM) framework. This framework details corporate level, entity-wide risks, the likelihood of that risk happening, as well as the potential bottom line impact to the business. The framework also allows management to document their mitigation efforts and controls implemented to limit the risk exposure.
Beacon faces corporate-wide risks too.
Some of Beacon’s top enterprise wide risks include cybersecurity, internal/external fraud, and increasing medical costs. Beacon proactively manages these risks by monitoring current trends and new risk factors and updates the mitigation efforts accordingly.
The insurance industry is inherently of high risk for cybersecurity attacks due to the personally identifiable information held on individuals, both as policyholders and as claimants. To combat this risk, Beacon regularly performs system attack and penetration tests, including vulnerability tests and then implements added controls, as appropriate, based on the results of those tests. By performing these tests, Beacon is able to stay up to date on current trends in the criminal cyber world.
Fraud is always a hot topic and the exposure is real in almost any business or industry. Beacon faces a variety of areas where fraud could occur. Employee misclassification, under-reporting of payroll, misclassification of injuries as being work-related or misrepresentation of facts related to the injury, and working while collecting workers’ compensation benefits are all types of fraud, among many others, that Beacon monitors and proactively manages.
3. Healthcare Costs
Healthcare and pharmacy costs continue to rise in conjunction with an aging workforce and increased comorbidities which has a direct financial statement impact to Beacon. In an effort to mitigate the exposure and bottom-line impact of this risk, Beacon works very closely with the Medical Advisory Board and the Department of Health, provides education on the over-prescribing of medications, and strives to implement “Stay-at-Work” programs with employers. These are all measures that management proactively engages in an effort to reduce the exposure of this risk.
These three risks described above, among others, are monitored at a corporate wide level but there are many risks that are tackled at the department level with controls built within the departmental work flows and policies and procedures.
Beacon uses an internal control framework to identify these risks, and ensures control activities are in place and working as intended. At the department level, some common internal controls used to mitigate risks are to implement segregation of duties, establishment of authority levels, and quality control reviews.
Segregation of duties is one of the most important aspects of any internal control environment. This can be difficult to implement with small staff sizes; however, the benefit gained is paramount. Cash, both incoming and outgoing cash transactions, need segregation of duties. Individuals that receive cash should not be the same individual that records the activity in the accounting system, or the individual who reconciles the bank statements. The same principle applies to payroll processing; one individual should have the ability to add new employees, or process pay changes, and another individual should perform a review of these transactions. It’s very risky to have one individual make all employee changes to the payroll file, process the payroll, and then receive and distribute checks. Additional examples of appropriate segregation of duties include having separation between the maintenance of vendor records from those employees with check writing capabilities, and segregation of Information Systems employees with developer responsibilities from those in production control.
At Beacon, our underwriters have the authority to issue insurance policies within established thresholds for premium, credits, exposures, etc. Outside of these thresholds require management approval. The same applies in the Claims Department. Claims adjusters have payment and reserve authority levels based on experience. When a claim exceeds the authority levels, management approval is required. While this is simplistic and common in the insurance world, it’s very important that management and staff alike be knowledgeable about what those authorities are and that they are reviewed on a regular basis. Expansion or limitation of an employee’s authority levels is an extension of risk exposure.
Quality control reviews are an effective internal control process to mitigate the risk of granting authority levels. By having an independent employee review the work of underwriters and claims adjusters, management is assured that the authorities granted to those employees are being maintained and that work is being produced within departmental standards.
Overall, businesses face risk every day and these risks must be recognized, triaged, and mitigated to within the confines of risk appetite and tolerance. Risks evolve over time which requires on-going maintenance and monitoring of the mitigation efforts to ensure continued effectiveness. Effective mitigation efforts reduce the risk exposure to within ones comfort zone, known as risk appetite.