Risk Awards 2016
There is more to insurance risk than Solvency II. Europe's hotly debated – and much-delayed – risk-based prudential standards for insurers finally went live last month, following a year in which firms wrapped up implementation and regulators answered the last, lingering questions. Standard Life wins this year's insurance risk manager award for going well beyond those minimum standards.
One of the best examples is the company's new risk review teams, which separately cover business risk and technology change – areas traditionally ignored by most insurance sector risk functions. The business risk review team is dropped into a specific business area, with a brief to identify possible future problems and make recommendations – often at the behest of the Standard Life board. The first review was completed early in 2015, and around half a dozen others followed, each taking around six weeks.
The company's Edinburgh-based chief risk officer, Raj Singh, introduced the reviews after seeing the benefits at a previous employer. "Risk management needs to be much more pre-emptive – not only in terms of modelling, but also in terms of business and strategic decisions," he says. "The reason I pushed for it here is because it introduces an independent challenge, as you can sometimes get a little bit of groupthink in both new and mature businesses. This brings some fresh views from people who look at it from a completely arms-length standpoint. A lot comes out of it."
Among the diverse topics the reviews covered in 2015 were expense drivers, corporate structure, and the setup and acquisition of financial planning business Pearson Jones, subsequently rebranded 1825. In the latter case, the review recommended – for example – that the business would need enough funds to ensure scale once the purchase was complete, and that the new addition should adopt the same risk tools and governance structure used elsewhere in Standard Life, says Alastair Clarkson, business risk review director with the company in Edinburgh.
Having outsiders provide recommendations is, of course, a recipe for workplace tension. Standard Life has the business itself presenting the results of the review to the board, after discussing the findings with the review team. The presentation is observed by a representative from risk review, who then opines on whether it was fair.
"We want the business to understand why we are making these recommendations, and what they can get from them. The business is then responsible for following through on recommendations – some of which we classify as critical, so we expect them to be followed in a certain period of time," says Clarkson.
The technology risk reviews were introduced because Standard Life – like many insurers, Singh says – is going through a period of technology transformation. One of its key interventions last year saw it head off plans for a wholesale transition to a cloud solution offered by one vendor. The business in question was ready to make the move until the review team started asking questions. Not only was the vendor unable to show that its data security was up to scratch, but it also failed to offer clear details about the development work it claimed was underway to remedy the issues.
"We have a very good view of what's happening in this field and we have linked into some of the other big cloud providers to see what sort of challenges they were facing," says Dan Chalmers, head of technology changes at Standard Life. "When it comes to some of the biggest names, you expect them to have gone through a thorough process and have fixed everything. But when you start looking at some areas in technology risks like cloud or cyber resilience, in some cases those big providers are still navigating through those issues."
The move was put on ice, and the technology firm actually stopped providing the service temporarily to address the issues raised, adds Singh.
Of course, the company has not been ignoring Solvency II – and here as well, Standard Life has gone beyond the minimum requirements, turning the oft-criticised Own Risk and Solvency Assessment (Orsa) into a central pillar of its risk monitoring and reporting framework. In its simplest form, the Orsa requires insurers to track their overall solvency needs, but Singh feared this would become a 'dead' compliance requirement; to make it a 'living' process, Standard Life combined it with other elements of its risk framework. "Our living Orsa comprises the risk reporting, risk management information and each of the traditional Orsa processes," says Marc Storan, a member of the reporting and analysis team at Standard Life. "All the latest information we have on these elements is communicated directly to members of the board and risk committees via an app."
The living Orsa would, for instance, include both the latest results of the company's stress testing as well as more ad hoc instant risk updates. One practical example of the latter followed the brutal falls in Chinese stocks during January: "When the Chinese market went down, we sent out an alert on our exposure and on how this was impacting us to the board. It gives them comfort that we are on top of the issue and are reacting – so, the living Orsa offers that kind of instant communication. And if you talk to regulators, they will ask you whether your Orsa lives and whether people really use it. In our case, this is part of our normal risk management process," says Singh.