INSIGHTS: Private health insurers to face proposed new risk management prudential standard

January 17, 2017

In December 2016, APRA released a Discussion Paper on a proposed “Risk management prudential standard for private health insurers”.

APRA is proposing to issue a new Prudential Standard CPS 220 Risk Management (CPS 220), which will apply to private health insurers.

The discussion paper invites submissions on the extent to which features of the private health insurance (PHI) industry warrant different prudential requirements to those mandated for other APRA-regulated institutions under CPS 220.

Amongst other things, CPS 220 provides that the board of an APRA-regulated institution is ultimately responsible for the institution’s risk management framework and oversight of its operations by management.

If CPS 220 is implemented in its current form, APRA will expect the board of a private health insurer to provide direction and leadership on the institution’s approach to risk management, in particular:

  • to set a clearly articulated risk appetite so that the boundaries within which management may operate are clear
  • to oversee the implementation and ongoing operation of a robust and effective risk management strategy
  • to approve a business plan that sets out the approach for the implementation of the strategic objectives of the private health insurer.

Other prudential risk requirements may include:

  • establishing an independent board risk committee, separate from the board audit committee, to provide the board with objective non-executive oversight of the risk management framework
  • appointment of a Chief Risk Officer who is to be independent from business lines, other revenue-generating responsibilities and the finance function of the private health insurer, and who has a direct reporting line to the Chief Executive Officer and unfettered access to the Board and its sub-committees
  • two types of periodic review of the risk management framework – an annual review of the risk management framework, by internal and/or external audit and three-yearly comprehensive review of the appropriateness, effectiveness and adequacy of the framework, by an operationally independent expert
  • an annual risk management declaration by the Board concerning the adequacy of, and compliance with the risk management framework.

APRA’s current intention is to finalise any revisions to CPS 220 during 2017, so that the requirements for private health insurers will come into effect from 1 January 2018.

Private health insurers who require assistance in preparing a submission to APRA or understanding the impact and requirements of the proposed CPS 220 should contact our financial services and private health regulatory expert Michael Bracken.