Managing Operational Risk of Insurance Companies – Part 2

Operational Risk framework

To help manage operational risk, insurance companies are increasingly looking to build or modify their existing operational risk management framework. A commonly seen model includes seven components, which are

  • Governance: vision, guiding principles, risk strategy, risk appetite, organization structure, risk glossary
  • Risk assessment and management processes
  • Capital: regulatory and economic capital modelling
  • Reporting: risk reporting
  • Technology: technology enablement
  • Communication: operational risk training education, regulatory/audit coordination
  • Validation: operational risk framework validation and verification

Governance Structure

Centralized Organizational Structure & Governance

There are three levels of Organizational Structure & Governance:

Board Level: includes the Board, Audit Committee, Risk Committee, Compensation Committee

Corporate Level: CEO, CRO (Chief Risk Officer) managing Chief credit officer, Head of Market Risk, Head of Operational Risk, Head of Insurance Risk, the committees inclue: Executive Committee, Finance Committee, New Product Approval, Investment Committee, Enterprise Risk Committee, ALCO, Credit Committee, Operational Risk Committee

Business Unit/ Regional Level: includes Business unit Risk officers with solid line to CRO, dotted line to BU Heads, and BU Risk Committees and Regional Risk Committees reported directly to corresponding management level committees.

Considerations:

  • BU risk officers physically work in the BUs but report to central risk function based in headquarters
  • BU risk officers demonstrate independence by not reporting to a revenue-generating BU
  • The solid line reporting to a centralized risk function enables a consistent approach across the organization
  • The corporate level risk function has a limited number of employees and operates as a facilitator to ensure consistency, coordination and policy management across the organization

Three Lines of Defense

Regardless of the organizational structure or risk governance approach, corporate risk governance needs to be extended to all levels in the organization and become institutionalized as the responsibility of all employees.

At the Board or Executive management, they are responsible for performing oversight on some aspects such as:

  • Set the “tone from the top”
  • Establish risk appetite and strategy
  • Approves the risk management framework, methodologies, overall polices, roles and responsibilities
  • Leverages risk information into decision making process. Accepts, transfers or mitigates identified risks
  • Evaluates BU activities on a risk-adjusted basis

The three lines of defense comprising of BU process & Risk owners, Risk management & Compliance and Internal audit, have main functions described below:

BU process and risk owners: Monitor and reporting
  • “Owner” of the risk management process
  • Identifies, manages, mitigates and
  • Loss and incident data tracking

Risk management & Compliance:

Design and facilitate:

  • Designs and deploys the overall risk management framework across the organization
  • Monitors BU adherence to framework and strategy, and challenges first line thinking
  • Complies across BU and escalates risk/control issues to senior management
  • Performs aggregated risk reporting

Interpret and develop:

  • Provides interpretation of regulations and disseminate to business units
  • Monitor compliance with regulations
  • Develop and monitor policies and procedures
  • Risk assessment based compliance testing
  • Advise on regulatory issues

Internal audit: Test and verify

  • Provides independent testing and verification of efficacy of corporate standards and business line compliance
  • Validates the overall risk framework
  • Provides assurance that the risk management process is functioning as designed and identifies improvement opportunities

Risk Appetite

Expression of Risk Appetite

Supervisory expectations emphasize the importance of using both quantitative and qualitative expressions to articulate risk appetite throughout the organization. Qualitative measures cannot consistently be linked to a financial outcome. Insurers need to consider all major risk types in their risk appetite framework, including those that cannot as easily be measured (e.g. operational risks), rather than focusing solely on more-easily quantifiable risk types.

Examples of measure type:

  • Quantitative measures: economic capital; loss ratios; combined ratios; operational losses; counterparty concentrations; VaR
  • Qualitative measures: customer complaints, system outages/performance; negative publicity/news; regulatory of legal fines/sanctions

Institutions should use risk measures to better allocate resources an make informed business decisions (increase exposure / decrease exposure). LOBs / BUs should consider risk-mitigating activities in advance of a breach of the tolerance level to enable compliance with the stated risk appetite.

Examples of business considerations:
  • Should risk exposure increase to optimize risk/return?
  • Should underwriting standards be modified?
  • Should risk exposure be reduced to within risk tolerance range, or should tolerance levels be amended by Executive Management and the Board of Directors?
  • Is the products sold appropriately marketed and delivered to customers?
  • Are customer service associates appropriately trained?
  • Will continued customer complaints cause damage to franchise value?
  • Will complaints result in legal or regulatory issues?

Risk Culture

The main factors driving risk culture of organizations are:

  • Awareness: (ethical awareness, awareness of risk and issue management, risk appetite awareness, organization’s risk profile awareness)
  • Leadership – consistent and reinforcing “Tone from the top” (leaders hold people accountable, leaders role model expected behaviors, rewards and consequences balance behaviors & outcomes)
  • Standards – workplace: active fundamental risk management processes (a constructive culture to prevent risks, open culture to help detect risks, management of issues to recover form incidents)
  • Sustainability – processes that improve organizational sustainability (lessons learnt from past issues, anticipating trends and future risks, ability to improve and respond to change)
  • Governance – three lines of defense (business units, risk & governance, internal audit)

The overall outcomes of a successful risk culture may help to balance risk and return of some enterprise aspects such as: shareholder value, impact on custormer experience, people engagement, compliance, improved risk adjusted return, community contribution, safety in the workplace, environment impact, etc.

Measuring and embedding risk culture

Culture models typically focus on individual behaviours, ignoring the organizational context while Risk models typically focus on risk strategy, appetite or process, at the expense of individual factors. The assessment framework below balances both:

Assessment criteria at an individual level:
  • Motivation: what employees want to do
  • Application: what employees do
  • Competencies: what employees can do
Assessment criteria at an organizational level:
  • Communication: how clearly leaderships sets expectations around risk behavior
  • Resources: how supported people are to comply with risk policies
  • Incentives: whether people are incentivized to manage risk
The insurance company is the best place to focus initial efforts, as this is what leaders can control.
Once the organizational factors are right, the individual factors fall into place.
To be continued…

Leave a Reply

Your email address will not be published. Required fields are marked *