Risk Management in Health Insurance MBA in Health Insurance Management Case Study

Introduction

Medisur Health Insurance Ltd., established in 2012, rapidly emerged as a key player in India's private health insurance sector. Positioned as a digital-first insurer, Medisur targeted salaried professionals, gig workers, and microbusinesses with affordable premiums and simplified processes. By the end of FY 2022–23, Medisur had covered more than 7.2 million individuals and had a growing portfolio composed of 40% individual policies, 35% group policies, and 25% top-up and critical illness plans. However, behind its impressive growth trajectory lay significant vulnerabilities in its risk management architecture.

Medisur's expansion relied heavily on aggressive underwriting, low reserve margins, and underinvestment in core functions like actuarial science, cybersecurity, and internal audit. Although internal risk teams intermittently raised red flags, the senior leadership and board failed to escalate or address these concerns effectively. As the macro-environment shifted post- pandemic, multiple risk events unfolded between 2023 and 2024, threatening the company’s financial stability, regulatory standing, and public trust.

Key Risk Events

Claims Explosion Due to Non-Communicable Diseases (Operational & Financial Risk)

By mid-2023, Medisur observed a dramatic increase in health insurance claims across its group policies, particularly from SMEs and gig economy platforms. Claims related to diabetes, cardiovascular disease, and hypertension surged by over 40%. These claims were primarily from demographics previously considered low-risk. A root cause analysis revealed that Medisur’s underwriting relied almost exclusively on automated digital disclosures without incorporating biometric screenings or health check-ups. Additionally, the actuarial models had not been revised post-COVID to account for long-COVID-related complications or increased sedentary lifestyles.

The combined ratio exceeded 125%, compared to a stable 98% in FY 2021–22. Claims costs exceeded projected reserves by over €34.5 million, shaking the company’s solvency ratio and reducing its flexibility to meet future obligations.

Reinsurance Misalignment (Financial Risk)

Despite significant portfolio growth and changing claims dynamics, Medisur continued with its pre-2020 reinsurance treaty structures. Their principal excess-of-loss cover retained a per- claim ceiling of €55,000, inadequate for the rising cost of critical care and prolonged hospitalization. Moreover, the absence of an aggregate excess-of-loss (stop-loss) provision meant that Medisur had no cap on total exposure.

In Q3 FY 2023–24 alone, nearly €16.3 million worth of claims breached reinsurance thresholds and had to be absorbed by Medisur’s own funds. Reinsurers refused to retrospectively revise treaty terms. Credit agencies issued warnings, and Medisur's financial rating was placed on a negative watch.

Cybersecurity Breach (Operational & Regulatory Risk)

In December 2023, Medisur suffered a devastating ransomware attack through an exploited API of its third-party administrator (TPA) network. Hackers accessed over 2.3 million policyholder records, including Aadhaar-linked data, hospitalization histories, and pre- authorization records. The breach was discovered 72 hours after intrusion, far exceeding the IRDAI-mandated 6-hour breach notification rule.

Post-breach investigation revealed the absence of multi-factor authentication on critical admin panels, outdated encryption protocols, and no formal incident response plan. The cybersecurity audit, scheduled for March 2023, was never completed due to internal restructuring. The breach severely damaged customer trust and regulatory standing.

IRDAI issued a show-cause notice citing violations of its 2023 Cybersecurity Guidelines. As an interim measure, the regulator barred Medisur from onboarding new customers for 30 days, resulting in reputational and revenue losses.

Internal Audit & Governance Failure (Strategic & Compliance Risk)

Governance audits revealed that Medisur’s Risk Management Committee had not met in over 12 months. The company’s risk register had not been updated since 2021, and no enterprise- wide risk management (ERM) framework was in place.

The CRO position had remained vacant for nearly eight months, and risk responsibilities were diffused among junior finance staff. Crucial decisions regarding underwriting, pricing, and digital partnerships lacked centralized risk review. Internal audit findings were rarely acted upon, and reporting lines bypassed the board.

Customer Attrition & Reputational Damage (Reputational Risk)

Public backlash following the cyberattack intensified across social media. Policyholders complained of delayed reimbursements, lack of transparency in claims communication, and breach of sensitive medical data. Independent health tech influencers published videos explaining how customers’ data was sold on the dark web. Medisur’s app received an average rating of 1.7 on app stores and was briefly suspended for non-compliance with privacy terms.

The call center faced a 3x spike in volumes, with over 40,000 unresolved complaints in January 2024 alone. No dedicated PR spokesperson was available to manage the narrative, and the company’s leadership was perceived as evasive.

Organizational Response

In April 2024, a new CEO and a CRO were appointed. Their immediate steps included:

• Drafting an enterprise risk management (ERM) policy aligned with ISO 31000.
• Initiating a comprehensive cyber risk audit by an external consulting firm.
• Beginning reinsurance renegotiations, exploring quota-share and catastrophe stop-loss structures.
• Commissioning the development of AI-based fraud detection and claims anomaly tracking tools.
• Starting the design of a KRI-based dashboard for internal and regulatory reporting.

Despite these measures, structural issues persisted:

• The board lacked technical expertise in cybersecurity and insurance risk.
• No formal risk awareness or risk training programs had been initiated for operational teams.
• Attrition rates in underwriting, product design, and IT stood at 22% annually

Case Study Questions

Q1.Identify and categorize the five key risk types in this case under: Operational Risk • Financial Risk • Strategic Risk • Regulatory/Compliance Risk • Reputational Risk Explain how each risk manifested and whether it was foreseeable.

Q2.Critically evaluate Medisur’s corporate governance and internal control structure. What were the systemic governance gaps that allowed these risk events to materialize? Suggest at least two reforms using COSO or IRM ERM principles.

Q3.Analyze the cyber incident from the perspective of both operational risk and regulatory compliance. Refer to guidelines under the IRDAI Cyber Security Framework (2023) and/or global frameworks like HIPAA. What risk controls should have been in place?

Q4.Evaluate the failure in reinsurance planning. How should Medisur have structured its treaties differently, especially in the wake of pandemic-induced claim volatility? Recommend a risk transfer and retention strategy suited to their portfolio.

Q5.Design a roadmap to implement Enterprise Risk Management (ERM) at Medisur. Include four key stages with timelines, and specify how ISO 31000 principles or COSO ERM components will be operationalized across business functions.

Q6.Assess how Medisur could have better handled stakeholder communication during the data breach and regulatory crisis. Propose a crisis communication plan including:

• Messaging strategy
• Stakeholder segmentation
• Restoration of trust with policyholders and regulators

Brief of Assessment Requirements

This assessment asks the student to analyse a real-world-inspired insurance failure (Medisur Health Insurance Ltd.) and produce evidence-based, framework-aligned recommendations. The deliverable should be a concise professional report that answers six case questions (Q1–Q6) covering risk identification and categorisation, governance critique, cyber-incident analysis, reinsurance strategy, ERM implementation roadmap, and crisis communication. Key formal expectations:

• Answer each question clearly and separately (label Q1–Q6).

• Use recognised risk frameworks (ISO 31000, COSO ERM, IRM) and relevant regulatory standards (IRDAI Cyber Guidelines 2023; where applicable refer to global standards such as HIPAA as comparative guidance).

• Support assertions with evidence from the case (quoting or paraphrasing facts like claim ratios, breach timing, reserve shortfalls).

• Provide practical, implementable recommendations with short timelines, owners, and measurable KPIs.

• Show concise quantitative reasoning where needed (e.g., reserve shortfall, reinsurance shortfall amounts).

• Reference sources and include a short appendix (risk register template, KRI examples, sample board memo).

Key Pointers to Cover in the Assessment

• Q1 (Risk Identification & Categorisation): List the five risk types (Operational, Financial, Strategic, Regulatory/Compliance, Reputational). For each: (a) describe how it manifested (quoting case facts), (b) explain foreseeability and root cause (e.g., automation-only underwriting), and (c) note immediate impacts (e.g., combined ratio >125%, €34.5m reserve gap).

• Q2 (Governance & Internal Control Evaluation): Map Medisur’s governance to COSO/COSO ERM components (Control Environment, Risk Assessment, Control Activities, Info & Communication, Monitoring). Identify systemic gaps (vacant CRO, inactive Risk Committee, missing ERM, weak internal audit) and propose at least two reforms (with steps) referencing COSO/IRM guidance.

• Q3 (Cyber Incident Analysis): Build a timeline of the breach, identify control failures against IRDAI Cybersecurity expectations (notification within 6 hours, MFA, encryption, incident response plan). Recommend technical and organisational controls (MFA, encryption-at-rest, patching, third-party risk management, incident response, tabletop exercises) and remediation/notification steps.

• Q4 (Reinsurance Evaluation & Strategy): Explain treaty shortcomings (per-claim cap €55k; no aggregate stop-loss). Recommend alternate structures: quota-share for portfolio smoothing, excess-of-loss with higher per-claim limits, aggregate stop-loss (catastrophe stop-loss), and dynamic retentions tied to loss trends; include suggested retention levels, triggers, and monitoring cadence.

• Q5 (ERM Roadmap): Deliver a 4-stage roadmap (Assess → Design → Implement → Embed & Monitor) with realistic timelines and owners; map each stage to ISO 31000 principles or COSO ERM components and list deliverables (policy, risk register, KRIs, reporting dashboards, training).

• Q6 (Crisis Communication Plan): Provide a brief, actionable plan: objectives, stakeholder segmentation (policyholders, regulators IRDAI, reinsurers, media, employees), core messages, channels/timing, remediation offers, escalation and liaison with regulator, measurement (NPS/complaint volume/KPIs).

How the Academic Mentor Approached the Assessment

Below is the mentor’s structured workflow used to coach the student through the case. Each step includes the mentor’s instruction and the student activity.

Read & Map Facts

Mentor instruction: Extract facts and quantify impacts.
Student activity: Create a two-column facts table (Fact / Evidence) capturing: combined ratio >125%, €34.5m reserve shortfall, €16.3m claims over reinsurance thresholds, 2.3m records breached, 72-hour discovery, 6-hour IRDAI rule missed, vacant CRO, risk committee dormant, 30-day onboarding ban, 40,000 unresolved complaints.

Risk Identification & Categorisation 

Mentor instruction: Use a risk taxonomy and justify categorisation with one-line evidence and foreseeability comment.
Student activity: Produce a 5-row table: Risk Type | Manifestation | Evidence | Foreseeable? (Yes/No + why). Example entry: Operational Risk — underwriting automation without health checks → evidence: surge in NCD claims from low-risk cohorts; foreseeable because actuarial models not updated post-COVID.

Governance Diagnosis 

Mentor instruction: Map current governance against COSO/COSO ERM; identify where control activities failed and recommend reforms aligned to the framework. Prioritise 2 reforms for immediacy & 2 for medium term.
Student activity: Produce gap analysis: e.g., Control Environment weak (vacant CRO); Monitoring ineffective (risk register stale). Recommended reforms: (1) Immediate reconstitution of Risk Committee with independent non-executive representation + monthly KRI dashboard reporting to board; (2) Implement formal ERM policy and a rolling internal audit plan tied to risk heatmap.

Cyber Incident Analysis 

Mentor instruction: Build a breach timeline, compare practices to IRDAI guidelines and global best practice, then identify missing controls and remediation steps. Emphasise third-party risk management and notification requirements.
Student activity: Produce: (a) timeline chart, (b) control gap list (no MFA, outdated encryption, no IR plan), (c) remediation plan (patching, MFA, encryption, IR planning, notifications to IRDAI, customer support packages) with owners and 30/90/180-day milestones.

Reinsurance Strategy 

Mentor instruction: Explain treaty types and how they affect volatility/solvency; propose a blended reinsurance program appropriate for Medisur’s portfolio. Use quantitative examples to show impact (e.g., compare exposure with €55k cap vs €100k cap).
Student activity: Recommend: (a) short-term: add aggregate excess-of-loss (stop-loss) to cap total exposure; (b) medium-term: renegotiate per-claim limit upward and adopt quota-share for new business to share risk; include suggested trigger levels and monitoring cadence.

ERM Roadmap Design 

Mentor instruction: Create a four-stage roadmap with timelines and KPI examples. Align each stage to ISO 31000/COSO components and assign owners. Keep it operationally focused.
Student activity: Draft roadmap:

• Stage 1 (0–3 months): Risk assessment & risk register; hire/confirm CRO; immediate KRI set-up.

• Stage 2 (3–6 months): Policy design, reinsurance renegotiations, cyber remediation.

• Stage 3 (6–12 months): System implementation (KRI dashboard, claims analytics), training.

• Stage 4 (12–24 months): Embedding: periodic stress tests, internal audit cycles, board reporting.

Crisis Communication Plan 

Mentor instruction: Use stakeholder-first approach; produce sample messages and a timeline for disclosures and remediation offers. Ensure regulator liaison is central.
Student activity: Prepare: high-level messaging (acknowledgement, apology, remediation steps), segmented communications (email templates for policyholders, press release skeleton, regulator notification checklist), and KPIs (complaints backlog trend, customer satisfaction recovery target).

Compile Report, Appendices & Validation 

Mentor instruction: Structure the final report with an executive summary, question answers, recommendations, and appendices. Validate figures and ensure consistent referencing.
Student activity: Combine work into a 6–8 page report + appendices (risk register template, KRI dashboard mock, timeline Gantt), and run a peer review pass with mentor.

How the Outcome Was Achieved (Deliverables & Validation)

Deliverables produced under mentor guidance:

1. Executive Summary (1 page): high-level findings and top 6 recommendations.

2. Question-by-question answers (Q1–Q6): each with analysis, evidence, and prioritized recommendations.

3. ERM Roadmap: four stages with timelines, owners, and KPIs.

4. Reinsurance Recommendation: suggested treaty mix and rationale.

5. Cyber Remediation Plan: short-term fixes (30 days), medium-term improvements (90–180 days) and long-term controls (policy + training).

6. Crisis Communication Plan: messaging scripts, stakeholder map, sample regulator notification, and customer remediation package.

7. Appendices: risk register template, sample KRI dashboard mock (key metrics: claims frequency, average claim size, reserve adequacy ratio, unresolved complaints), sample board memo.

Validation steps performed:

• Cross-checked all factual statements against the case text.

• Reconciled monetary figures (€34.5m reserve gap, €16.3m reinsurance breach) and used them to justify urgency and choice of reinsurance solutions.

• Ensured recommended timelines were realistic (e.g., immediate cyber fixes within 30 days).

• Confirmed alignment of recommendations with ISO 31000 and IRDAI notification requirements.

Get Your Assignment Help – Smarter, Safer, and Stress-Free

Looking for guidance with your assignments? You can download the sample solution provided below to understand how to structure your answers, analyze case studies, and approach academic tasks with clarity.

Important Note: This sample is strictly for reference purposes only. Submitting it as your own work may lead to plagiarism penalties. Always use samples as learning tools to guide your original writing.

If you need a fresh, plagiarism-free, and custom-written assignment solution, our team of professional academic writers is here to help. With expertise across multiple subjects, we ensure:

• 100% original, custom-tailored content

• Proper formatting and academic referencing

• On-time delivery to meet tight deadlines

• High-quality solutions written by subject experts

Do not risk your grades with copied content — get expert-written solutions designed just for you.

Ready to Take the Next Step?

[Download Sample Solution]
Get instant access to the sample for reference.

[Order Fresh Assignment]
Receive a plagiarism-free solution, custom-written for your requirements.