Risk Management for Private Health Insurers

On 27 July 2017, APRA released the final version of Prudential Standard CPS 220 Risk Management (CPS 220) for Private Health Insurers (PHI). This represents the most significant change to the regulatory regime since the transition from the Private Health Insurance Administration Council (PHIAC) to APRA, with risk being the first of three phases of APRA’s PHI Policy Roadmap.

The standard will apply to all PHIs from 1 April 2018.

CPS 220 is a key part of APRA’s overall approach to sound risk management and extending it to the PHI sector was the logical next step in the move from PHIAC to APRA’s regulatory environment.

The new standard forms the foundation of the Risk Management Framework (RMF) for all APRA-regulated financial services businesses, and therefore it is critical that PHIS fully embed the principles and practices into their operations, as there will be expectations that they are quickly up to speed and operating at the same level as other APRA regulated entities.

Top 10 risks from across the globe and Australia

What does this mean for your organisation?

The Board has ultimate responsibility for having a RMF that is appropriate to the size, business mix and complexity of the organisation. At a minimum, the RMF must include the Risk Appetite Statement (RAS), Risk Management Strategy (RMS) and a business plan, all of which must consider the material risks of the organisation. This requires detailed policies and procedures.

CPS 220 also stipulates the need for an “operationally independent” risk management function, to be led by a CRO who must report directly to the CEO, and a compliance function. For some organisations, this will mean changes to current operational structures.

Underpinning all of these changes is a strong tone focused on risk culture. The CEO and the Board should model this tone, which should permeate the organisation and be continually monitored and measured for effectiveness.

Setting your organisation up for success

Building a risk management ecosystem optimised for today’s challenges requires buy-in across the organisation. Four steps that can set your organisation on the right path are: 

  1. Set a strong organisational tone focused on risk culture
  2. Align risk management with strategy at the point of decision-making
  3. Implement a clearly defined risk appetite and framework across the organisation
  4. Develop risk reporting that enables executive management and the Board to effectively execute their risk oversight responsibilities

Perspectives on CPS 220 Risk Management for Private Health Insurers

Interview with Katherine Martin,  PwC's Regulatory Assurance Director, on APRA's PHI prudential policy framework and CPS 220 Risk Management
Interview with Sarah Hofman, PwC's Regulatory Assurance Partner,  on strategies for implementation and lessons learnt from the broader Financial Services industry
Interview with Jenn Whittaker, PwC's Culture and Behavioural Change Director, on the importance of risk culture to the implementation of CPS 220

Contact us

Renae Cooper

Partner, Insurance, PwC Australia

Tel: + 61 (2) 8266 6471

Katherine Martin

Director, Risk & Regulation, PwC Australia

Tel: +61 (2) 8266 3303

Jenn Whittaker

Director, Culture & Behaviours, PwC Australia

Tel: +61 (2) 8266 3119

Katy Waterhouse

Senior Manager, PwC Australia

Tel: +61 (2) 8266 4937

Sarah Hofman

Partner, Risk & Regulation, PwC Australia

Tel: +61 (2) 8266 2231

Follow PwC Australia