The EU Solvency II directive is a significant challenge for the insurance industry, but recent events in the financial markets have made it even more so. For operational risk professionals and insurance companies, there is a need to prepare for compliance with Solvency II but also to look beyond this to best practice in the industry. One area on which some operational risk experts are focusing at the moment is how to reduce complexity while improving communication and governance around risk. At a recent webinar, sponsored by OpenPages, three industry experts focused on the challenge of creating a robust operational risk governance structure in a multilayered financial services firm.
“Allianz is an organisation operating in about 70 countries,” says Stuart Robinson, senior vice president, Group Risk, at the insurer. It has three major operating segments: life and health; property and casualty; and financial services. There are 22 operating companies reporting directly into the risk function in Munich, where Robinson is based. Several of those companies are big enough to be multinational insurers in their own right if they were not part of the Allianz Group. The firm then has four regional hubs that have more than 30 companies below them.
Robinson explains further: “Looking at the 22 companies, four of them actually operate globally. When we look at them from Munich we may think of them as being a single operating unit but, in fact, when they look at their businesses, each of them will have offices spread all around the world. Not surprisingly, given the number of companies and the number of segments, we have a very complex product range. We have everything from simple unit-linked investment products to traditional investment business, from motor and household insurance to specialty corporate insurance.” The Incheon Bridge in South Korea, for example, is one of the longest suspension bridges in the world, for which Allianz provided the insurance and the risk management support.
As a result, says Robinson: “It’s a difficult environment to put an operational risk framework into, and it’s challenging for three main reasons. When we look at regulatory requirements, we need to satisfy multiple regulators. Our banking and asset management companies need to meet Basel II requirements, our European insurance companies need to meet Solvency II requirements, our Swiss business has to satisfy the Swiss Solvency Test, the UK company has to satisfy the Individual Capital Assessment framework, the German companies have to meet MaRrisk requirements, etc.”
So, when implementing a new operational risk framework, Robinson said it was critical that it struck “a balance between the needs of our local operating companies and the issues that concern the group centre.
Robinson acknowledges that, as he is in the group centre, he is much more focused on Solvency II and key risks, including accumulation of risks and reporting. But he also wants to put in place a more granular framework that allows different operating companies to have different levels of analysis to meet their own local requirements.
This creates a range of challenges for Robinson, but he says he has broken the key challenges down into two categories. “The first thing we have to do as a group is reduce complexity,” he says. “It’s very easy if we sit 10 of our experts from different operating companies in a room to come up with lots of very good ideas and then realise that we’ve also come up with a very complicated framework. So when we’re looking at complexity we don’t want to have overly complicated methodologies. We don’t want complicated processes and we also want the mandatory requirements from the group centre to be kept manageable. Whenever I say to someone it’s mandatory that they do something, I think very hard about that.”
Simplifying methods and processes
He adds: “The other thing that we’re looking at to reduce complexity and to improve efficiency is systems strategy. We need standardisation in terms of our methodology and our processes. We want something that is efficient for people to use so that we don’t have a lot of people deployed on producing information rather than analysing it, and we want to be able to support better management and governance.”
As a result, a substantial area of strategic focus in this process was the technology framework that Allianz would put in place. “We spent a lot of time thinking about what we need in terms of systems, both in the group centre and in the local operating companies,” says Robinson. “We concluded that we needed one central system, so we opted for an intranet system that will allow for some local Excel extension of that system in the smaller companies where it’s not practical to train people to use the system. Our operating companies are able to add a certain amount of local functionality to the system. If somebody wants to ask an additional question when they are setting up a loss data capture form, they could add their own question in; if they want to change their work flow they can. But we still have the common core group application. By being flexible in terms of allowing local customisation of the systems, so far we’ve actually avoided having too many companies come back and say they want to do something very different.”
After a lengthy process, Allianz selected the OpenPages platform for its operational risk framework. “We have designed the system at the moment to primarily be something that supports our operating companies’ operational risk management teams, rather than have a system that is heavily focused on the needs of the group centre or is designed to be pushed to thousands and thousands of users in the business with detailed functionality,” says Robinson.
He adds that, because the system is very flexible, one of the things his team was able to promise Allianz’s operating companies is “that we will allow them to amend the system if they needed to. So, if you have the system installed, on top of the core group functionality if you want to amend the work flow – for example, put a second approval step into a work flow – we can do that. If you want to put additional reporting in, we can do that. As long as an operating company’s requests don’t impair the performance of the overall system, we allow people to slightly customise the system to better fit their own requirements. So far, that has been an effective way of getting buy-in for the system across the business.”
Robinson says the initial implementation of the OpenPages system has been, by and large, successful, but has required a lot of communication with stakeholders. “I was talking to some of our businesses this morning about the systems and the key challenges we face,” he says. “One of those challenges has been to keep things simple. When people come to us with a very long wish list, we will have a fairly serious discussion about whether all of those needs are sensible.”
He adds: “This may be slightly controversial but, having spent a lot of my career working in risk management, when I look at operational risk management in particular there is a line people can and sometimes do cross, where they stop adding value to the business in terms of better risk management and improved transparency and efficiency. They occasionally get to the point where they are drilling down and down and producing more and more detail; not because it is helpful to the business, but because they either think they have been set that objective, or they have set themselves that objective. That is not something we want people to do or want to encourage.”
The other big challenge has been the practical challenge of embedding certain parts of the core functionality across the group, he says. “Even things like the loss data capture process and the top risk assessment process (where we are familiar with them because they were Excel applications that people used) required extensive systems training and support. We need also to get the right people in the management team motivated to actually use these systems properly. There is a cultural change in getting people to do something in a different way and that may also involve establishing organisational guidelines for how people use the system, how we report data and how the approval processes work.”
Although the solutions Robinson has achieved for Allianz may be innovative, the challenges he has encountered are by no means uncommon, says Jonathan Davies, managing director – Americas, at RiskBusiness International. This means it is even more important that risk executives do not just view implementation of operational risk frameworks as box-ticking exercises, or their investment will be wasted. “This is not just a regulatory exercise by any means,” says Davies. “We are trying to take the organisation forward to enable it to make more transparent decisions on risk, more broadly to understand the extent of losses where those aren’t transparently captured today – often embedded as contra-revenue items without transparency accounting.”
Understanding the levels of risk
“We are certainly not trying to create a zero-risk culture or zero-risk organisation, the reality is completely the opposite,” he says. “We are comfortable taking risk – that is what we do, both as insurers and bankers. What we want to understand is the level of risk that we run and how that compares to the tolerance we would like to set. Also we want to be able to identify opportunities for taking increased risk, in other words, removing controls, removing the cost of controls, being more efficient about our controls because we have a huge cost component embedded in managing risks through controls. We clearly want to report information upward – there’s a demand for the board to see more, to see the aggregated risks on an enterprise-wide basis and for them to be able to set the tolerance of the organisation and be involved in that dialogue.”
In general, says Davies, operational risk executives should be striving to create a culture of risk awareness and the ability to communicate – he says it is “probably the biggest challenge that we face.” The language of risk is “a complex language from many directions; not just the type of risks we’re talking about and defining that, but also being clear about the form of measure we want people to communicate. At the end of the day, everything is a risk and we run the risk – if you’ll forgive the pun – of too much being reported if we’re not clear of the exact basis of measurement that we’re looking to impart. For us to be successful, we need to engage business people in risk management, we need their acceptance to the process, we need them to adopt the process and, in regulatory speak, we need to pass the use test and that involves us having a system for risk that is appropriate to those objectives.”
Therefore, organisations need to create libraries of language that meet those lowest common denominators. Firms don’t necessarily need to enforce the adoption of those common libraries, Davies says, but if they have them under the covers within the system or within the process then they’ve “basically opened up the opportunity for sharing of information and, hopefully, greater efficiency of all of these risk-related programmes.” “The last thing we want to do is truly add negative value to the organisation by consuming more resources and by talking in an additional language of risk, which creates less clarity and adds more confusion than we had with the operational risk programme,” says Davies.
“We need to move towards a standardised language for risks and controls and, if we can achieve that standardisation, we can enhance the level of sharing and integration,” says Davies. “We need to move towards better defined measures of risk. We can measure the risk on an impact and likelihood basis, we can look at frequency in various ways, we can look at impact in various ways, we can aggregate the two and look at an expected loss or unexpected loss to various degrees of confidence. We can have simplified ways of trying to express those two but, without some consistency, people will be communicating on a very different basis and that inconsistency really doesn’t help at all.”
But for a firm to be truly successful in implementing a risk framework, the governance mandate must extend beyond risk identification. “The control side has been the area where most organisations have really struggled,” Davies comments. “Work is done on controls primarily by audit and pretty much everyone else, often with no real consistency of documentation or consistency of classes of controls that may be stronger or weaker.”
Firms should strive to create relationships between controls and business processes as well. “Obviously there will be some controls that are very strategic and others that are specific to certain processes,” he says. “When you are involved in creating value to help people communicate and manage risk within a certain business function, ideally you want to strip out the controls that are truly non-applicable in the context of that business process and portray or show controls that might be of use or are likely to be of use.”
Gordon Burnes, vice president marketing at OpenPages, brings the discussion back around to what is motivating much of the work around operational risk for insurers – Solvency II. He notes that the UK’s Financial Services Authority (FSA) periodically releases guidance for insurers it regulates. “While there may be slight variations across the EU, clearly the goal is to have a consistent regulatory framework so the guidance can be informative for insurers in other countries as well,” he says. “Solvency II really moves regulatory oversight to a principles-based approach. This is the first point: it may be obvious, but it has pretty significant implications for the kind of system that you put in place. Here it’s noted that “there will be freedom as to organisation and design around the governance process”. But remembering this is critical as you choose and deploy an operational risk system, because it will have to reflect your particular organisation’s design and governance processes. Brittle, pre-packaged solutions won’t work.”
Second, Burnes says the FSA has noted that “an effective risk management system will be required”. In other words, a system that is poorly governed – Excel spreadsheets, Access databases and manual intervention as the central core application – won’t work as an operational risk framework. Says Burnes: “[Robinson] pointed out there may be instances where you want to leverage and use your computing systems to allow flexibility on the edge, but the core system needs to be centralised, programmatic and well-governed.”
A common language
Burnes also believes that a common language is critical for delivering consistency across the organisation. “There clearly needs to be some independence across these different management disciplines, but there is a way to leverage a common set of technologies and processes to make the reporting and assessment process more efficient without losing the requisite autonomy within the different groups,” he says. “If you’re a business unit owner or a process owner and you’ve got to go through an assessment process five or six different times from different groups, there’s a real problem. You are going to have assessment fatigue and the data quality will drop off and, beyond these process inefficiencies, it’s just very expensive to support all these different systems. There are ways to leverage a common language, a common set of technology and still retain local control within these different risk management domains and you can capture huge process improvements and reduce overall cost.”
Burnes also believes these lessons can be applied across the four different operational risk processes. For example, he points out that some companies have opted to think about the general ledger (GL) and leveraging the data that’s in the GL as a way of managing loss events. Burnes says that firms should really need to think about the whole life-cycle of loss events – managing the reporting and recurrence discovery recognition. Firms also need to think about impacts and recoveries. Burnes says firms may want to separate impacts and recoveries depending on where and when they happen – and then firms need to be able to issue or create issues that will start a remediation process around a particular event. Says Burnes: “It is a complex process that GLs don’t support appropriately.”
Burnes also points out that, as organisations create more robustness around the risk assessment process, they really want to be able to tie loss events into those assessments. He says: “It is pretty interesting to back-test the assessments with actual real loss events to see how you did, and whether you were able to get to the key risks in the area you are looking at and whether you were able to estimate the exposure well. These are key things you want to think about when it comes to systems.”
“From a risk control self-assessment process, we really think about two things, which we characterise as a risk and control self-assessment and technical reviews and risk assessments,” he says. “Frequently companies want to have a top-down assessment to find the key areas of risk in the business. They may do this on a process basis: we had one large company that has 300 mega processes and looks at things across risk programmes. Regardless, you have this dynamic where you find out what the key areas of risk are and then you combine that with a bottom-up approach where you really delve into those areas of higher risk. The system you use really needs to be able to support both of these processes.”
Burnes says scenario analysis is mainly useful for high-impact, low-frequency events. He adds that “the robustness of the scenario analysis will be informed by the granularity of external and internal incidents and the data that comes out of the assessment process. You want to make sure your system can inform the scenario analysis so that you can come up with something realistic and predictive of things that might actually happen.”
Overall, however, all three panellists agreed that, when implementing an operational risk framework, it is essential to focus on reducing complexity in order to facilitate communication up and down the firm around the risks it faces and to improve overall governance. This means creating vocabularies around risk issues, reducing the volume and difficulties around reporting, and making sure that each element of the operational risk framework delivers not only for the group centre, but for the business units doing the reporting as well.