Managing Operational Risk of Insurance Companies – Part 1

This article will examine the basics of operational risk management for insurance industry; although definition and the type of operational risks facing financial services companies share similar attributes, insurance industry in Vietnam has been more vulnerable to these than other companies in the financial services sector.

We will look at the basics and followed by some tips for improving and managing these risk with some efforts. This will be a series of blog posts trying to simplify and breaking down operational risks in to more understandable concepts.

I have been working with Vietnamese insurers on these topics for quite a some time, and as such have a good grasp of the stage as far as industry maturity is concerned.

Let’s begin by looking at simple yet important definitions:

What is Operational Risk

Regulatory definition of Operational Risk

Each company is responsible for assessing, managing, and monitoring the risks that arise from its day-to-day operations. Regulators define operational risk as:

“The risk arising from the inadequacy or failure of internal systems, personnel, procedures or controls leading to financial loss. Operational risk also includes custody risk”. (International Association of Insurance Supervisors – IAIS); and

“The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events” (Basel Committee on Banking Supervision aka Basel II).

According to Basel I, there are seven operational risk event categories:

  • Business disruption and system failures ( e.g.: software or hardware failures)
  • Internal fraud (e.g.: claim, handling, employee theft)
  • External fraud (e.g.: computer hacking)
  • Damage to physical assets (e.g.: fires and floods)
  • Employment practices and workplace safety (e.g.: diversity and discrimination)
  • Client, products & business practices (e.g.: fiduciary breaches, misuse of confidential customer information)
  • Execution, delivery and process management (e.g.: data entry errors, incomplete legal documentation)

Operational Risk definition

Risk is generally defined as something that has the potential to prevent business objectives being met.

The definitions on operational risk given above are purely regulatory, and refer only to operational risks that lead to financial loss.

The Regulators’ concern is that not enough capital is held to absorb any operational risk losses incurred: they are not concerned at all about firms better being able to meet objectives, increase top line, increase efficiencies, and other strategic changes.

Therefore, operational risk management needs to consider impacts beyond just financial losses that appear in the P&L. It should also consider failed opportunities, project failures, inefficiencies, poor service and other risks that lead to impacts that prevent business-as-usual and strategic objectives being met.

Operational risk is seen by business as the cost of doing business, so there is no up-side to it. However, good operational risk management can help them improve the bottom line, not just minimize losses.

Operational Risk identification

The steps to identifying risks are ensuring business and strategic objectives are articulated, and then identifying what could prevent these objectives being met.

Companies often confuse current issues, causes, control failures, impacts and risks.

All risks are caused by something; and if they occur, they have an impact.

People, internal processes, systems and external events are considered main causes in Basel, it can impact on Financial loss (Basel impact), Reputation, Client service, Regulatory action or the Growth/Efficiencies of an organization.

Examples of Operational Risk events at insurers

The following highlights examples of operational risks insurance companies could face. Operational risk events can lead to impacts of other risk types.

  • High staff turnover in Claims means that a large number of new staff are processing claims assessments which leads to errors. As a result, average claims amounts increase.
  • A lack of adequate procedure documentation so that regulatory timeframes for processing customer requests are not adhered to resulting in regulatory sanction, fines and reputational damage.
  • Inadequate system controls allow reserves to be amended by underwriting staff to manipulate profitability.
  • Poor underwriting controls and compensation linked to insurance sales lead to underpricing and then future losses when claims are received.
  • Pricing models are put into production without adequate validation which contain fundamental errors. Pricing of products is subsequently found to be incorrect leading to losses.
  • Reports generated by systems which are used for management decision-making contain serious omissions leading to a strategy which is not appropriate for the insurer.
  • Hackers gain access to systems, steal customers’ details and delete customers’ policies.

Importance of Operational Risk

Strong operational risk management fulfils regulatory requirements and is good business practice. History has shown that failures in operational risk management, at financial service organizations, have persisted over time and have had dire results. Below highlights some of the most significant failures, both at insurance companies and banks:

Insurance company: Equitable Life, HH 2000; Independent insurance 2001; Kember 2001; Reliance 2001
Bank: Orange County’s credit union 1994; Barings bank 1995; AIB 2002; Freddie 2003; NAB 2004

How does robust risk management achieve results?

  1. Risk mitigation: organizations identify and understand the “risks that matter,” effectively assess risks across the business, and drive accountability and ownership for mitigating those risks.
  2. Cost reduction: organizations streamline or eliminate duplicative risk activities and improving process efficiency.Val
  3. Value creation: organizations achieve superior returns from risk investments and improve controls around key processes.

Organizations with more developed risk management structures and practices, i.e. higher risk maturity levels, have improved financial performance, i.e. better risk management significantly impacts the bottom line!

To be continued……

 

Leave a Reply

Your email address will not be published. Required fields are marked *