Business Risk, Continuity and Protection: Thoughts for boards on COVID-19

by Monique Bachner

          This article stems from the 5th web “Coffee Chat” organised by the Luxembourg Institute of Directors (ILA) on 29 April 2020, and hosted by Fernand Grulms, independent director and member of the ILA Management Committee.

          Fernand was joined this week by Jean-Philippe Peters, partner at Deloitte where he leads the risk advisory practice.  Jean-Phillipe has more than 17 years’ experience in various risk and compliance issues in financial institutions.  Thierry Flamand, also at Deloitte, has more than 25 years’ experience in actuarial services for pension funds and insurance companies and he is a local expert in regulatory matters. Philippe Goutière, is managing partner at ABIL, an insurance brokerage company he founded three years ago and he is also a member of ILA working group on insurance.  Laurent de la Vaissière, with 19 years’ experience, is an associate partner at KPMG, Luxembourg.  He is involved in IT auditing and the KPMG technology risk advisory team.  Anne-Sophie Minaldo, also a partner at KPMG, and head of the Luxembourg regulatory department is involved in the banking, investment, management funds and forensic analysis. 


          How is D&O insurance applicable with regard to Covid-19? 

          Board members must react to Covid-19 by balancing many interests. Employees interests will often not be the same as those of shareholders.  

          Boards must be aware of potential claims if they have not acted prudently..  For example, ensuring appropriate measures to protect workers. Depending on the policy, D&O may be limited to defence costs – an important aspect to defend against unwarranted claims.  

          Other items to think about include discrimination if certain employees consider themselves not as well protected as others, and avoiding the accumulation of losses if the company starts to look like it is moving towards bankruptcy, Comparison to how their peers have acted is often done in hindsight.  

          As insurers will likely incur losses, businesses will certainly see changes in insurance policies at renewal.  More questions will be asked on a company’s financial assessment, risk management and liquidity predictions. Premiums will be based on sector, and maximum coverage may be reduced.   Boards should note that the policy applicable is usually the cover in force when claim is made - so beware!  This means a D&O claim in 2021 for a decision taken in April 2020 will often have the relevant 2021 policy covering it. 


          What has been the effect of Covid-19 on Business Continuity Plans? 

          BCPs, created to protect and recover systems in the event of potential threats to an organisation, involve various key elements related to crisis management, continuity planning, IT disaster recovery and external and third party risks.  
          As BCP were traditionally based on the idea that team offices are unavailable and backup offices were used, no social-distancing contingency was foreseen. None of experts had seen a BCP foreseeing massive working from home (WFH), so Boards clearly need to ensure these are updated.  
          With regards to WFH itself and IT aspects, regulators had been historically somewhat conservative on the subject.  Suddenly, many organisations had to have VPN and remote access almost immediately.  Boards must satisfy themselves that IT measures are up to security policy of the organisation and ultimately of regulators.  With cybersecurity a considerable concern for many companies, this could potentially involve claims on insurance companies.  
          Second, there is often a lack of digitalisation in the processes.  If critical processes still rely on paper (e.g. signing), this is a challenge to WFH.  Boards should review their BCPs thoroughly.  Essentially, all aspects of a BCP, including cybersecurity should still be underpinned by corporate governance and efficient programme management, especially in the financial sector.  Pandemics are usually excluded on most insurance policies., however cyber-attacks might still be covered by cyber insurance policies.    

          What practical advice would you give to Board when updating their BCPs? 
          All aspects of a BCP should be grounded in appropriate governance and related procedures and oversight.  Board members should check with management the current state of affairs, and understand where the BCP has or has not worked well and as expected.  For example, staff likely took decisions with some urgency.  New realities like this should be backed up with updated written principles,  procedures, and processes.  Boards should stay connected with teams and people to ensure they are operating as they think they are, ultimately ensuring they understand current internal governance arrangements, and are able to challenge these where appropriate.  
          Ethics and codes of conduct are also becoming more and more important as  Boards must trust their delegates as there may be less capacity to directly oversee them.  Boards should not delay in not only assessing the impact of Covid-19 on their business, but already start taking the time to analyse the lessons learned even now.
            
          Audit process can support Boards in times of change
          While more challenging, remote audits can – and are - done.  Interviews can be done by video calls, whilst on-site staff are kept to a minimum.  Once auditors have remote access, much of the observation and testing can be done remotely.  Board members must support this process, by ensuring their company addresses eventual non-compliance risks.  Following any audit, Board members should re-assess risk areas and check guidelines from the audit committee, interacting with them and ensuring feedback to the Board as a whole.   

          For Insurance companies, Covid-19 has impacted their Own Risk and Solvency Assessments

          As a key element of the prudential Solvency II Directive, the own risk and solvency assessment (ORSA) is a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of an insurance company.
          ORSA has six main components that are impacted as a result of Covid-19: the risks review process, sovereignty and capital assessment, documentation, governance and capital planning.  Capital assessment is the cornerstone of ORSA.  There are a number of triggers that can result in a review of the ORSA process, for example adverse movements in financial markets, solvency assessment, or changes in risk profile.  The specifics of these should be correlated with specific economic recovery. 
          In general, infectious viruses resulting from a pandemic were not foreseen by the framework.  The pandemic will have an effect on insurance policies, insurance and the re-insurance industry, with highest impact will be on non life insurance.  
          International press has speculated on political pressure to transfer some risks to the insurance industry even where not usually covered. For the moment States have set up funds for specific purposes.   For example, in Luxembourg, funds have been established to cover for Covid-19 losses for businesses. 

          For the banking sector, how has ICAAP been useful to review risk in these times?

          The Internal Capital Adequacy Assessment (ICAAP) is part of the Basel II accord applicable to the banking sector. Its role is to permit banks to assess their risks (e.g. systemic, legal, liquidity, among others).  
          Banks have had to adapt their ICAAP processes.  The current crisis is a typical trigger to review and stress test ICAAP and a Covid-19 impact assessment should be done now.   There are four main risks for banks: market risk on the asset side, the credit risk from debtors, operational resilience (for example, by way of business continuity plans (BCPs) or outsourcing risks) and capital planning.  Credit risk is probably the most significant for banks in the context of Covid-19 as banks expect a rise in default from debtors.  The State has taken this into account and has set up funds to shield SMEs from Covid-19’s worst impacts, and declared a moratorium on repayments.  Banks must also question assumptions underlying these ICAAP models.  It is difficult to project business plans of banks for the next two or three years coming even on a macro-economic level as most risk models rely on various hypotheses.  Covid-19 and what it has occasioned was not one of these hypotheses.  
          As Economists debate the recovery curve, the impact of Covid-19 on future profits is the number one challenge for Banks and their ICAAP models. 

           


          By Monique Bachner, ILA Board member and a governance professional involved in various Boards.