Victoria Tozer-Pennington, Editor, Operational Risk & Regulation
Toby Ducker, Solvency II Programme Director, Brit Insurance
Ian Francis, Solution Architect, IBM
Rodney Nelsestuen, Senior Research Director, Retail Banking
and Cards, TowerGroup
How does Solvency II affect operational risk management?
Rodney Nelsestuen, TowerGroup: What we have started to see happening is that operational risk is receiving new focus around the globe. Operations executives are looking at regulatory risk driven by the increase in global regulations, Solvency II being a major one. Fundamentally, the challenge of Solvency II is finding the right data, getting the right data definitions and making sure it is consistent, clean and organised so that you can gain intelligence from it.
It is a struggle for operational risk managers to pull the right data together for reporting purposes and to perform the needed valuations – including the internal risk calculations necessary for Solvency II – but operations executives are also very interested in being able to extend what they are learning from Solvency II across a broader range of risk management activities as well.
Ian Francis, IBM: From our point of view, we are seeing a broadening of the operational risk outline, which is being more joined with other streams of risk management on an enterprise basis. We are particularly seeing a lot of convergence around qualitative and quantitative analysis, and Solvency II is driving that forward more quickly. The crossover between Pillar I and Pillar II is driving the business risk manager to be involved rather than to halt quant risk management in the domain of the actuaries in an organisation. So we are seeing a greater awareness of operational risk management at the first line of defence. Although there is obviously a need to have the detail of what is going on at those levels, firms are really trying to have some type of integrated reporting at an executive level to ensure that executives are fully aware of the risk management process. Solvency II has been a great driver for those organisations to have the time and the budget to now go ahead and really understand their processes and try to build best practices.
Toby Ducker, Brit Insurance: I think what Solvency II is asking you to do, and how the industry is responding, is really to start linking operational risk to other risk types. It’s the balance between quantitative and qualitative in terms of the assessment but, for me as a practitioner, it’s also about the cultural element. The stick can only ever go so far; it’s important to show the carrot as well, and show how good operational risk management can help the business.
One example we are using with some of our underwriters at the moment is that we write a lot of delegated business, either for managing general agents or binding authorities that practise similar capital to our open market or direct business. The way we are trying to position it within the business is that, if there is a poorly performing operational risk inherent within that area – for example, if they don’t submit their data on time or their reports are a bit sloppy – that should be attracting an operational risk load. It’s about creating the right incentives in the environment to drive the best practice.
What are the emerging best practices for operational risk in insurance companies?
Francis: What we are seeing from our customer base is that organisations are approaching Solvency II in a variety of ways. We are seeing a lot of work being done around documentation of process, understanding and communicating those processes, as well as a fairly large education process that has been going on. That has been one of the really powerful things we have seen across our customer base. Firms are spending a lot more time educating their end-users about why they are carrying out certain best practices.
There have also been elements around getting a very clear under-standing of the data firms need to capture throughout the whole Solvency II programme. It is vital to get that clear and consistent data model. We have typically seen organisations and large insurers with inorganic growth structures trying to get a handle on their many acquisitions and mergers that often result in a very tangled web of systems and data feeds. The best idea is to try to keep things simple. Tackling all the elements of Solvency II head on is like handling a many-headed beast. The best idea is to focus on some of the key practices, and firms will be able to get the best out of those Solvency II programmes.
Nelsestuen: One of the things TowerGroup has noticed is that the best practice evolves around how the organisation functions based on how it is organised. For example, one insurance company may be smaller and built around functional areas while another company, because of diversification, will be built around product lines, and global insurers are built around territories and regions of the world. The needs and the approaches companies use will vary among the three types of organisational structures and will sometimes be a matrix of those different things.
But, on a functional basis, very highly centralised risk management and good governance within the business functions is fundamental, and it is absolutely necessary to have strong, consistent data definitions. If your company is highly centralised, you can bring this information together, deal with the differences in definitions and structures, and probably come up with a very good set of definitions that will help with the reporting process. However, if your company is organised along product lines, then you are likely to have highly siloed business lines making data collected inconsistent and making the whole picture of operational risk very difficult to understand on the enterprise level.
We have all talked for years about taking down the siloes between some business units, but in some areas in insurance – life and annuities, and investments, for example – the walls are necessary for protection and are legal requirements. Getting information that will tell the central management team what is going on within the different areas will be very important in this instance.
In a product-oriented structure, a lot of redundancy is common. Each product line can have its own administrative roles. Some of those inefficiencies create operational risks, but it is an opportunity we’ve seen within the institutions to look at a product line, determine who is doing what in each product area, and maybe capture some of the company’s own internal best practices based on what these different groups are observed to be doing. In this case, being siloed is not necessarily a bad thing, but it is a challenge.
Finally, on the territorial side, the definitions actually start somewhat higher. They start by looking out across the business at the regional or national definitions the business needs to meet and asking how the company operates within those boundaries and whether that creates unique sets of data, how much is universally agreed upon, and how much of it is specific to an area and only then try to understand the differences.
What best practices are you implementing or which are you looking to adopt?
Ducker: The first stage is really to recognise operational risk in its fullest sense. There are a lot of things in operational risk management that we have always thought we should do or would like to do a bit more, but finding the mandate or the business commitment to actually do it was a struggle. Solvency II does give us a bit of an opportunity there. We looked at how we manage through the supply chain because, as a London market organisation, we rely heavily on the London market supply chain, which has not necessarily provided us with the best-quality data. We also needed to look at how to optimise that process and create commercial value from it because, as you start looking at these things, you start to see inefficiencies, duplications and so on, and this regulation gives you an opportunity to remove some of that.
There is best practice in terms of creating efficiency around operations and operational best practice, which will help with your operational risk management anyway.
The other approaches we have been thinking about are how to engage the business. Historically, we took quite a centralised view and had a risk management team that went around the business, talked to people and assessed the operational risk and then came back to the middle. But there probably wasn’t as much visibility as we should have been creating in that approach. We have used Solvency II as an opportunity to extend how operational risk is used within the business and, as such, we’re starting to adopt what will become a much more common practice in terms of engaging the business at the frontline.
We recognise that there will always be siloes to some degree necessitated by product lines, business appliance, territories and otherwise, but part of this is taking it down to the frontline and educating people there, so that you empower them to manage the risks themselves. That way, you get a much more powerful answer. You are empowering the business to take decisions, and allowing them to take the risk/reward decisions that come with that as well as the potential bearing on their profitability. Again, it creates good incentives for them to make good decisions and that, for me, is how we see best practice.
How are insurance companies addressing these Solvency II requirements?
Francis: We are seeing a much greater push towards quantitative analysis of the risk control self-assessment process, as well as around a view of the risk capital allocated across business lines. This will let the businesses understand how they can influence that process and how managing their own internal risk environment can actually shape the capital charge they are going to receive.
It’s really an empowered workforce you are going for, it’s a real step change in the way people are working.
Nelsestuen: Repeating a comment I made at the outset of this discussion, when TowerGroup works with groups within companies, we ask: ‘Isn’t everything just operational risk?’ That rhetorical question gets a lot of attention, and we kind of mean it. The point is that – whether the function is underwriting, actuarial analysis, claims or looking at the investment portfolio or counterparty and credit risk – those are some of the activities we find that cross over to operational risk. There are also the risks that punish, such as financial crime and people ignoring red flags, which come from not having ownership of the risk management.
We have seen many companies looking at creating a permanent menu of the types of risks they have observed; the types of risks they believe are out there; the types of events they have seen, and the near misses they have had in those areas. Near misses are critical. In one case, an insurance executive had observed the near misses until one wasn’t a near miss, and the company experienced a hit but wasn’t quick to respond to what happened. In the business process, there was a breakdown in the validity of analysis being done in that part of the company, so they were taking risks that they didn’t have fully defined. It’s not something that was overt in this case; it wasn’t something that happened overnight; it was something that began innocently enough and went down a slippery slope. The insurers told us they had not really addressed that flaw and are now paying a lot more attention to the near misses. Now, when they have both events and near misses, they can go back and apply some quantitative analysis. The capital allocation aspect that has been coming into play also helps to get people’s attention. When your business unit has capital tied to it, it focuses people’s attention on what they ought to be doing to manage operational risk.
What capabilities should firms develop as part of their operational risk programme?
Nelsestuen: There are two main elements of developing a programme of operational risk management: governance and data. Regulators worldwide – be it under Solvency II or something else – are starting to increase their demand for data and the types and nature of the data they want to see. One of the problems with that is they’re going to get data from multiple sources, in different sequences and with different definitions, and even unstructured data such as that from social networks or call centres.
Some of the tools and technologies available now can take unstructured data and turn it into, if not quantifiable, at least definable elements and a definable sense, which I think is really important.
As for governance, the other main element of an operational risk programme, we at TowerGroup think of the whole governance process as a continuum. On one end of the spectrum are firms whose business units are completely individually responsible and accountable, but we think such a free-for-all is not the most desirable approach to governance. At the other end of the spectrum are firms with a completely centralised risk governance body where all decisions are made. However, even though centralised decisions are being made, such a governance process can fail in implementation due to lack of broad participation. So what we see as a desirable approach is that there needs to be some kind of centralised governance and thinking about operational risk, but it needs broad participation from the business units. TowerGroup observed a couple of institutions that believed they had a thorough approach to risk management, though they allowed some business units to have complete risk governance responsibility. That can be a thoroughly high-risk approach if you study the history of AIG, for example, in the last financial crisis. Firms need to be very cautious about giving complete authority to a business unit. We think that any company has to have centralised control of governance but broad participation.
Ducker: I think that’s right because without that centralised control you can’t join it all up, but without that distributed ownership, participation and sense of belonging you can’t make it work, so I think that is the best model. These things are easy to say, making them work in practice is not as straightforward, but that has to be the aspiration.
Francis: It really comes down to standardisation of approach on these things and keeping those things simple, as well as getting that engagement from end-users all the way through the process. It’s a really difficult challenge, and one that we see a lot. We are doing systems design and have central teams saying to business lines that this is how we are going to do it and we’re going to roll this out. But there is a lot of pushback from those business units if you don’t have that full engagement on the way through.
Business engagement and isolation are real challenges. One of the things firms need to ensure is that they are developing some skills in-house and not just relying on consultants throughout the Solvency II implementation era. Firms need to ensure they leverage off what is already in-house and develop and nurture that because they are the ones that are going to be left once they pass through the project stage. It’s the ‘business-as-usual wave’ at the end of this process that firms really need to be conscious of.
Ducker: The phrase we use internally here is that, “if you’re going to be wearing the shirt in 2013, then you’re going to help us make it today”, because any other approach is doomed to failure, rejection and struggle at implementation phase.
Nelsestuen: The other aspects firms need to take heed of are looking at the life cycle and the staging life cycle of the technology they are using, as well as the products and services and the human resources side of things. The understanding of operational risk is different in different areas, but it is also different in different parts of the life cycle of those three aspects of the business. For example, if you employ new technologies, sometimes these technologies – no matter how much they are tested – will still have vulnerabilities in them where operational breakdowns can occur, where fraud can be committed, and other unanticipated problems can occur. Conversely, problems may arise in companies in which systems and technologies have been used for so long a time that employees have become too comfortable with them and start to ignore some of the control processes they should be following. I think we are going to see a real push from all regulators to require new products to be rigorously tested before they are implemented.
Another area firms need to be aware of is training. Are firms training their employees in the way they need to be trained to have the required operational risk management mechanisms in place? Looking at the whole life cycle of technology, product and services, and human risk, they all have an operational element to them.
Ducker: That’s the route we have gone down as part of our risk management, to align the process and operations of the key risk areas – such as insurance risk, market risk, and so on – with those risks themselves, because we see them as being one and the same. Insurance risk is not just the transaction insurance business and the agreements and liabilities on the insurance balance sheet, it is also about the processes that go with that from an insurance perspective. That, for me, creates a different perspective on putting operational risk at the heart of business planning, business strategy and business decisions. That is where it really needs to be if it’s going to be taken seriously. When the businesses are planning for a new product, for a change in business mix, an expansion in one area or a reduction in another, they need to be thinking at the same time about the operational risks that go with that. If they are not, it always becomes the poor second cousin that gets told way after the event when it is too late to do anything. Again, part of the cultural change for me is about getting that visibility at the frontline that means that they’re thinking about these things when the decisions are being made.
Is industry prepared for the data collection and disclosure requirements under Solvency II?
Ducker: We did Quantitative Impact Study 5 (QIS 5) quite recently, which was very useful in terms of getting the business to recognise the true data requirements of Solvency II. Even if you’re going down the internal model route, it gave you pretty good visibility around some of the data challenges, and really some degree of detail. We used QIS 5 very much as a stepping stone – a way of making some of these things more visible – and it has had the desired effect. It has made sure that the right level of executive management is looking at these things and understanding some of the difficulties in bringing all of this together.
On an industry level, the feedback that the UK Financial Services Authority very helpfully provided shows a very mixed bag on the level of preparedness for Solvency II. But I do think that people, by and large, were using QIS 5 to help them push forward on that. It’s obviously far more difficult to comment on European progress, but I do know that a number of them are pushing back or, at least, making their voices heard in Europe about the difficulties they are finding in getting the data to the right quality and standard.
What is IBM OpenPages’ capability around the correlation of operational risk with other risk classes, and can IBM OpenPages help companies in connection with the own risk and solvency assessment (Orsa)?
Francis: As a platform itself, IBM OpenPages interfaces with an organisation’s other capital modelling tools. We don’t have our own in-house capital modelling tool as such, but we interface with whatever the customers have in-house. In terms of correlation, we have correlation matrices and correlation elements in OpenPages’ platform across either risk categories and we have even had customers going across multiple single scenarios.
For the Orsa, our typical implementation is really supporting Pillar II, so there are a lot of data elements that hit the Orsa as a submission. We have been working with customers to provide the management information at the appropriate gauge to feed into those Orsas, such as loss data by category, and giving them the tool and temper to actually pull that information together.
We have interfaced with other applications and with other Microsoft Office tools to develop the template with the customer and understand it. There is a resusable approach for formatting, and a toolset that they can use across the organisation and management track. And, once they have that information in play, they can use the OpenPages platform to manage the Orsa approval process as well.
How can firms incorporate non-financial factors into the quantitative risk management process, such as litigation and intra-venue business models?
Ducker: Another example I would bring into that is tax. Litigation can come from a number of angles, either from a claims angle or from a tax angle, regulatory or otherwise. It is obviously difficult, but you have to find that balance in a deterministic approach that looks at various scenarios and then assesses them using expert judgement. Don’t forget that expert judgement is a big part of Solvency II too. It’s an absolutely valid way to take a view on something as long as you can demonstrate a robust process involving the right sort of people. And then you can use that as part of the process to come out with a number or a capital load as appropriate.
I do think that is a very valid way, and we shouldn’t get hung up on the fact that everything has to be part of some sort of stochastic model. There is a wide variety of ways to do this. Firms also need to remember the important principles of materiality and proportionality because, if they are not careful, they can become quite hung up with a spurious level of accuracy around things that involve pretty scant information.
Click here to view the article in PDF format
The week on Risk.net, November 25-December 1, 2016Receive this by email