Insurers and risk management
The core skill in running an insurance business is the effective management of risk. In deciding whether or not to accept a customer’s business, the proportion of their risk to underwrite, calculating a suitable premium and drafting appropriate terms and conditions, insurers must first and foremost have a clear understanding of the risk that has been placed in front of them. Without this, poor commercial decisions will inevitably be made.
Indeed, successful insurers can point to their ability to make effective commercial decisions through their strong risk management capabilities.
However, one would be mistaken in assuming that excellence in risk management when dealing with clients equates to excellence in the same area when focusing on an insurer’s own operations.
The past 14 months have brought many internal operational risk failures to the public’s attention, with some of the world’s leading insurers and brokers coming under intense regulatory scrutiny over allegations around improper accounting and bid rigging. Also, high street banks have found themselves on the receiving end of an FSA fine for improper handling of mis-selling complaints from thousands of endowment customers.
These, as well as other examples of failures within insurers have shown companies can be significantly damaged through not effectively embedding a strong operational risk management framework within the organisation. This cost can be in the form of fines, criminal charges against employees (including senior management), losses through undetected claims leakage, and of course, decreases in share price. As has been shown, the sheer scale of the negative reputational impact that comes with these can not only result in significant brand deterioration, but also loss of current and potential custom.
Effectively dealing with operational risk
In seeking to effectively deal with operational risk, management needs to put in place a culture that drives positive employee behaviour towards managing risk – one where they have the tools and processes to both understand the risks they face and to optimise the management of these risks.
By implementing a robust operational risk management framework that focuses on achieving this goal, companies can satisfy regulators and improve relationships with a variety of other stakeholders.
There are five key activities that go into creating an effective operational risk framework:
- Develop a strong operational risk foundation
- Use a set of integrated tools to assess the operational risk environment
- Measure the cost of operational risk using the inputs from the integrated operational risk tools
- Develop reporting lines and methods that provide effective management information
- Use appropriate systems to support a best practice operational risk framework.
The following sections explain each of these in more detail.
1. Develop a strong operational risk foundation
The key challenge with operational risk (unlike other risk types or categories) is that it spans the organisation. Whereas insurance risk (for example) is managed in defined parts of the firm, operational risk is a consideration for (effectively) everyone across the business. This highlights the importance of having a common foundation in enabling good operational risk management.
Steps that can be taken to develop such a foundation include adopting a common risk language (such as defining operational risk and the categories of risk) for use by all employees and in all risk tools and systems.
With so many areas potentially involved in the management of operational risk (and with responsibility for risk events), clearly stated governance structures should be in place across the organisation so as to ensure that everyone is aware of their roles and responsibilities. For example, common questions include: Who is responsible for managing operational risk – the business unit or the operational risk function? Are they appropriately enabled to carry out this responsibility?
A clearly communicated operational risk appetite also needs to be developed that enables business units to optimise their risk-return profile. By achieving optimum returns through the promotion of appropriate levels of risk taking, boundaries will be created within which all can work without exposing the organisation to unwanted levels of risk.
Finally, everything that contributes to the creation of a solid culture of operational risk management should be contained in a well-maintained policy framework that not only formalises the organisation’s approach to risk, but also provides a central point for employees to refer.
2. Use a set of integrated tools to assess the operational risk environment
Any financial services firm has a range of tools to choose from in developing their operational risk management toolset. As with other firms, the key challenge is not the implementation of individual tools but their implementation as an integrated set of tools that work together to provide an assessment of the risk environment.
In effect, there are four basic types of tools, with numerous variants for each tool:
- Control Self-Assessment: allowing the business to assess the state of its own risk and control environment in a structured way
- Key Risk Indicators: defined metrics with which to monitor the risk environment over time (for example the number of customer complaints or the staff turnover in each business unit)
- Scenario Analysis: using experts in the business to predict likely risk events and their implications
- Loss Data and Incident Management: using data that has been collected on past internal or external events to understand what went wrong and where there are actual or emerging weaknesses in the control environment.
By combining the outputs of each tool, an integrated and comprehensive assessment of each risk can be made, whilst ensuring that the strengths and weaknesses of each approach are taken into account. For example, if losses have been identified but the key risk indicators relating to that type of event haven’t changed, then perhaps new or different key risk indicators should be collected.
3. Measure the cost of operational risk using the inputs from the integrated operational risk tools
By taking the inputs used from the integrated tools in assessing exposures, the cost of operational risk can be measured and in turn, risk capital can be allocated across the organisation.
In addition to the regulatory requirements for measuring operational risk capital, there are internal benefits including the ability to allocate the capital down through the organisation. This allows the cost of risk to be measured against the returns generated and, depending on the risk-sensitivity of the allocation process, can also be used to create incentives for the business to manage risk.
In the first step, there are a range of approaches to measuring the total capital required. This ranges from relatively simple (and non-risk sensitive) approaches to more sophisticated approaches, often based around a monte-carlo simulation of either internal (and/or external) losses or scenario analysis outputs. Given the relative lack of data and the developmental nature of operational risk there is no single standard that is seen as best practice, although there are some generally accepted over-arching approaches (with numerous variants).
Although assessing the level of operational risk capital is important, the real value from this step comes from embedding risk capital into business unit performance measurement and therefore making it part of business unit decision-making. The aim is not to make operational risk a special ‘bolt-on’ risk measure but, rather, part of general decision-making (so that consideration of risk and return come together).
The allocation of capital supports, amongst other things, risk-adjusted performance measurement that will engage the business and can be used to motivate positive employee and business unit behaviour. Across a range of financial services firms, operational risk scorecards are becoming an increasingly popular way of allocating risk capital. Their advantage is that they allow the business units to see the levers by which capital is allocated and this provides the motivation to optimise a business unit’s level of exposure over time.
4. Develop reporting that provides effective management information
The outputs generated by various operational risk tools provide strong management information. However, unless this information is extracted and consolidated in an easy to understand manner, the level of value it delivers can be severely negated.
Unlike other risk types, where the profile of risk can be (and is) summarised onto a single page at the highest level, operational risk reports are often a confusing and unrelated mix of lists of risk issues, heat maps and traffic light reports.
The challenge is for firms to move towards the single page summary that then allows for drill down into the detail as required. Good practice operational risk management reporting should be top-down, forward looking, action-oriented, timely and dynamic, and flexible and interactive. Achieving this is facilitated by having all of the information built on a consistent basis (ie risk categorisation, standard hierarchy).
5. Use appropriate systems to support a best practice operational risk framework
As has been the case for some time, the market for operational risk systems (as documented in our regular survey ‘The OpRisk Powergrid’) remains fragmented and there is (or are) no clear industry leader(s). This is partially because operational risk approaches vary significantly from firm to firm and only recently have firms started developing packages that have the flexibility required to be customisable to dramatically different situations. At the same time (although larger firms are in the market) many of the best solutions are being offered by very small firms with limited financial viability.
With the high rate of change in the systems market, it is clear that many firms would be better off improving their management tools before they select a systems solution. Much can be achieved using just spreadsheets and databases. Only very large firms with relatively advanced approaches really benefit from the investment in a large operational risk system.
With the damaging events of the last 14 months, coupled with ever-increasing regulatory demands assessment and development of a firm’s operational risk management framework must be a central area of focus, where all business units and employees can be fully engaged and bought into the process of effectively managing operational risk exposures across the organisation.
Case study – implementing an operational risk management framework for a major insurer
This major general insurer had done some work in implementing an operational risk management framework but wanted to significantly improve their framework ahead of likely changes to regulation.
The initial phase of this work involved developing a strong operational risk foundation, which included both governance and strategy elements. For example, agreeing operational risk principles, policy framework and the categorisation of operational risk, as well as allocating key roles and responsibilities. PA worked with the insurer to identify gaps in the previous risk policy and put new policies into place that would close those gaps (and ensure regulatory requirements were met).
Further, a set of integrated tools was developed to assess the operational risk environment. Risk controls and self-assessment procedures were outlined, enabling the firm to continuously assess both the risks inherent in its operations and the effectiveness of controls implemented to reduce those risks. Key Risk Indicators were used to highlight key features of the firm’s risk and control environment, to gauge current operational risk status and provide early warning of future exposures. Scenarios were used to generate sample large loss events for input into operational risk capital calculations, and incident management processes enabled the firm to respond to events or mitigate against future risks.
This work saw the insurer take a huge leap in terms of its ability to manage operational risk, and thus protect the business. Bringing the standard of its approach into line with many other institutions within the financial services arena, the client has a practical set of tools with which to develop increased business buy-in to the operational risk management process, that would ultimately drive positive behaviour throughout.
