Board Effectiveness in Regulated Insurance Environments

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

How CEOs sabotage governance effectiveness (and what to do about it) About eight years ago, while advising a regional insurance firm, I sat across from a CEO who confidently told me: “Our Board is just ceremonial, it’s regulatory window dressing one, I run everything here.” He wasn’t joking. Fast-forward three quarters, that same CEO was forced out—not because of poor earnings, but because of a compliance breach the Board didn’t see coming. Why? Because the very person meant to feed them truth had mastered the art of selective storytelling. Some CEOs are the biggest roadblocks to good governance. Here’s how they do it—subtly, cleverly, and often, unintentionally. First, they suffocate the Board with fluff-packed Board packs. I’ve seen 300-page decks with zero actionable intelligence. In that same insurance firm, the CEO buried material risk under glossy slides on “strategic alignment.” When asked about claims fraud, he’d deflect: “We’re benchmarking industry trends.” That’s not governance. That’s theatre. That is deflecting. Second, they engineer Boards that are either too cozy or too clueless. CEOs will nudge nominations to bring in friends, former classmates, or retired executives too polite to push back. In the same case, three Board members were his former mentors. They gave feedback with caution, not courage. They withheld because they knew he had “appointed” them. Third, they dominate agenda-setting. This is the silent killer. By controlling what makes it to the Boardroom, they pre-empt uncomfortable topics—like cyber risk, whistleblower cases, or auditor findings. Instead, time is wasted reviewing quarterly performance the EXCO already dissected weeks ago. To fix it? Start with diagnosis. Like a good doctor, a governance transformation must begin with diagnostics: Board composition, committee function, agenda control, CEO reporting lines, and Board information flow. Until you know what’s broken, you can’t reset. Then, equip the Board Chair to reclaim the steering wheel. Let the CEO run the company, but the Chair must frame the company’s direction. Create an annual Board work plan aligned with strategic risks. Bring in independent facilitators to run annual Board-EXCO alignment sessions. In that same insurance company, we introduced a quarterly “Board Truth Brief” — a one-pager showing blind spots, root-cause flags, and cross-functional risks. It forced the CEO to bring real issues, not polished rehearsals. The leadership tool I use with clients is the Agenda Filter Every Board item should answer one of three questions: a) Does this decision alter our long-term risk or capital position or enterprise value? b) Will this shift customer trust or regulatory standing? c) Are we seeing patterns we’re afraid to say out loud? If it doesn’t pass any, it doesn’t belong on the agenda. Governance isn’t a burden. It’s the ultimate insurance. That’s the job. Do it well. Or get out of the way. I remain, Mr Strategy

🌍Board's role in Risk & Compliance Management 1. Risk Oversight Boards are responsible for ensuring that the organization identifies, assesses, and manages risks that could impact strategy, performance, or reputation. Key risk categories under board oversight: Strategic Risks – market shifts, competition, M&A, innovation. Financial Risks – credit, liquidity, capital adequacy, interest rate, forex. Operational Risks – fraud, cyber threats, business continuity, process failures. Compliance Risks – regulatory breaches, legal liabilities. ESG & Reputational Risks – environmental, social, governance, ethical lapses. Boards must ensure risks are within the defined risk appetite and that management has adequate mitigation frameworks. 2. Compliance Oversight Compliance is about adherence to laws, regulations, internal policies, and ethical standards. Boards must ensure that compliance frameworks are robust and effective. Core compliance areas: Regulatory Compliance – meeting sector-specific laws (e.g., banking regulations, labor laws, tax obligations). Internal Policies – ensuring codes of conduct, anti-bribery, AML/CFT, and HR policies are implemented. Reporting Obligations – timely, accurate disclosures to regulators, shareholders, and stakeholders. Ethics & Integrity – promoting a culture that discourages misconduct and protects whistleblowers. 3. Board’s Risk & Compliance Responsibilities Approve the risk appetite framework. Monitor risk dashboards and key risk indicators. Review the effectiveness of internal controls and compliance programs. Oversee independent assurance functions (audit, risk, compliance). Hold management accountable for breaches, losses, or systemic failures. Ensure the organization is crisis-ready. 4. Challenges in Risk & Compliance Oversight Complexity of regulatory environments (especially in financial services). Emerging risks (cybersecurity, climate risk, AI ethics) that boards may lack expertise in. Balancing innovation vs. risk control (e.g., fintech adoption). Weak compliance culture where policies exist on paper but not in practice. Over-reliance on management reporting without independent verification. 5. Best Practices ✅ Establish board risk and compliance committees. ✅ Conduct regular compliance training for directors and management. ✅ Use independent assurance (internal/external audit, risk reviews). ✅ Integrate risk management into strategy rather than treating it as a silo. ✅ Embrace technology tools (e.g., RegTech, risk analytics dashboards). ✅ Promote a tone from the top where compliance and ethics are non-negotiable. For customized consultancy services/trainings, contact #SmkSowalandAssociatesUG Tel: +256702865035