Managing Operational Risk of Insurance Companies – Part 3

Key Risk Indicators

Key indicator definitions

Risk, Control and Performance Indicators are common but distinct metrics used in the industry.  All can play a valuable role in the measurement of the risk profile – as long as it is understood that each measures a different aspect of the business process and will indicate changes at different times in the risk escalation cycle.

  • Key risk indicator: metrics that measure changes in the drivers of inherent risk (change in risk likelihood or impact – linked to Risk control assessment)
  • Key performance indicator: measure of business performance against objectives; business environment changes may drive risk at the macro level (change in business performance – linked to Business objectives)
  • Key control indicator: measures effectiveness of a specific control and hence as a measure of residual risk (changes in control design, performance – linked to Risk control assessment)

Leading and lagging indicators

KRIs must be linked to risks.  The risks need to be split into constituent risk parts so that KRIs can be aligned to them.

The rationale for both leading and lagging indicators should be explained, the leading indicator rationale considering causes, the lagging, impacts.

KRIs can then be suggested based on the logic.

The ability to report on the suggested KRI has to be a consideration for the present, but it is best practice to record what an ideal set of KRIs looks like for future capabilities.

For instance:

  • Key risk: inconsistent financial, business and risk management data and inconsistent, inaccurate reporting.
  • Risk component: ineffective business processes
  • Rationale for indicator: Leading – processes are not documented and Lagging – process errors
  • Key risk indicator: percentage of up-to-date procedure documents that are in place for key processes (Leading); errors as a percentage of processing transactions (Lagging)

By using percentages as KRIs it is easier to make comparisons between periods and areas.  This helps refine the KRI thresholds which indicate when the risk exposure is likely to be too high.

Risk & Control Assessment (RCA)

What is a Risk and Control Assessment (RCA)?

It is a process whereby a business assesses the risks to its objectives  (i.e. strategy, BAU activities, products) and the effectiveness of the controls in a structured and comprehensive manner.

The term RCSA is often used, a self-assessment ensuring that the first line feels more ownership of its risks and controls.

Common RCA workflow (according to BEICF: Business environment and internal control factors):

The process starts in each Business Department by identifying the risks faced by the entity. Once the risks are identified, the rating for inherent risk needs to be achieved and the identification of controls for identified risks is then reached. After the control identification, the controls need to be evaluated based on whether they are working as intended or suitable for the purposes they are designed for. Subsequently, a residual risk rating needs to be achieved before deciding which suitable action/plans need to be taken.

Risks are assessed in terms of Impact and Frequency/Likelihood at the inherent and residual level. The difference between inherent and residual is the strength of the controls.

The controls in place will be a mixture of preventative and detective/reactive.

Preventative controls stop a risk occurring. These controls are generally costlier to implement and they mainly affect the frequency of risk occurrence.

Detective/reactive controls identify that a risk has occurred and should lead to actions to rectify the issue swiftly.  These controls mainly affect the impact.

Residual risk assessments are compared to the risk tolerance. This should be aligned with the risk appetite statement for the risk in question.

Where there is a difference between the risk tolerance and residual risk it generally means that the risk is not being adequately controlled.  (It could mean over-controlled but this is less frequent!).

Operational Risk Reporting

Characteristics of operational risk reporting are:

Comprehensive

  • Reports should cover all material operational risks and business lines across the insurer
  • Risk measurement processes and systems feeding reports should be able to quickly alter underlying assumptions to reflect changing conditions

Appropriate and relevant

  • The reports should be geared to a level appropriate to the audience
  • More detailed reporting should be available to support executive-level reporting

Timely

  • Reports should be produced in a timely manner and circulated with the frequency appropriate to the risks and businesses covered
  • Certain risks and businesses should be monitored more frequently than other risks and businesses
  • Specific events (e.g.: significant market movements should trigger additional reporting outside of normal schedules

Forward-looking

  • Effective operational risk reporting should contain forward-looking elements, rather than just risk metrics based on actual or historical periods that may not be good indicators of future developments
  • Forward-looking metrics should be based on “what-if” scenarios that are varied enough to describe what may happen under various stress levels and practical so management can take action as deemed appropriate

Qualitative and quantitative

  • Reports should contain a balance of quantitative data and qualitative analysis to best inform management about evolving conditions and support judgement, planning and decision making
  • Avoid undue reliance on statistical examples that can create a false sense of quantitative precision

Integrated

  • As siloed reporting often leads to a misunderstanding of risk relationships, risk should be assessed consistently across the business and all risk management functions on an integrated basis to identify firm-wide sensitives and concentrations

Acton oriented

  • Risk reporting should promote escalation of issues, decision making and accountability
  • Effectively communicates issues to relevant parties at the appropriate level of detail

Effective ORM reporting and proper communication establishes the following:

Provides a consolidated, multi-dimensional view of operational risk environment

Facilitates escalation of high risk areas to Senior Management / Board of Directors and regulators

Increases transparency between business units, corporate functions, Senior Management and Board of Directors

Allows for management to make informed decisions based upon up-to-date risk information

  • Comprehensive – cover all material risks
  • Forward looking- combine quantitative and qualitative information with analysis
  • Identify emerging risks
  • Timely
  • Integrated – leverage other processes and data
  • Appropriate / relevant – no “one size fits all”

Data Aggregation

To enable effective reporting of operational risk exposures across the insurer, risks must be assessed consistently for all operational risk types, and risk data able to be aggregated and disaggregated across the business.

Operational risk taxonomies enable this ensuring consistent articulation of risk, to which consistent metrics can be applied

Operational Risk Profile

Operational risk exposures and the risk profile should be reported in the context of Operational risk appetite.

To be continued………..

 

Leave a Reply

Your email address will not be published. Required fields are marked *