Operational risk management for banks and insurers shares many similarities, but there are some important distinctions between the two disciplines. Insurers, while better versed in the art of loss modelling and management, bear a lighter regulatory burden when it comes to op risk than their banking counterparts and are generally seen as less well versed in its intricacies.
“When I came into the insurance sector from banking in 2013, I realised how basic the understanding of operational risk was, and to a certain extent it still is. I saw there was a gap in understanding of how pervasive operational risk can be and how it could be managed at insurers. But the gap is not that wide – it can be easily filled with known industry operational risk frameworks,” says Gustavo Ortega, head of corporate operational risk management at AIG.
A former director of investment bank operational risk management at UBS, Ortega’s experience in banking and insurance led him to co-author a new book, The Fundamentals of Operational Risk for Insurers, which was published in August 2017. Co-author Cathy Hampson, now a management consultant specialising in the use of robotic process management in regulatory compliance, has also worked at AIG, as regional head of operational risk between 2013 and 2016. Before that she was executive director for finance operational risk at Morgan Stanley.
For Hampson, the book developed from a desire to help insurers move up the learning curve and catch up with banks, without needing to go through the same lengthy period of development, and numerous iterations of op risk frameworks and systems. “Any second-mover gets the benefit of not having to repeat mistakes,” she says.
Despite the obvious differences between banking and insurance, the established principles of sound operational risk management and the framework for risk governance, identification, assessment, measurement and monitoring are applicable to insurers with only minor modifications, according to Hampson and Ortega.
The book drew particular praise for its emphasis on the measurability of op risk. Given the nature of the risk, and its ineluctable human element, a good deal of what the book describes is qualitative, but data collection and assessment needs to be objective and quantifiable, it stresses.
“This book points us towards actual measurable implementations, rather than just frameworks that are often food for thought, and the last thing operational risk needs is another ‘framework’ book,” says one judge.
In a chapter contributed by Lourenco Miranda, managing director in risk management at Societe Generale in New York, the past, present and future of op risk modelling is explored. This section stresses that quantification and scenario-based analysis can – and should – be performed.
Regulators are putting a lot of pressure in terms of behaviour and having risk management tools similar to bankingGustavo Ortega, AIG
The heart of the book deals with internal risk event reporting, external loss data, risk and control assessments, risk indicators, and reporting and analysis. In exploring these practices, the authors sketch out a scientific approach, rather than simply enunciating broad principles.
In areas such as compensation, there is greater overlap between banks and insurers than might be expected. An insurer’s underwriters, for example, are sometimes incentivised to produce results that might endanger the long-term health of the firm, in the same way as bank traders sometimes have been in the past.
“Banks and insurers need conduct and behaviour policies around compensation,” says Hampson. “Insurers can build them in from scratch. We have seen progress from banks, with developments like deferred pay and clawbacks written into contracts.”
For banks, the pressure to improve operational risk management emanated originally from regulators when they first tied capital requirements to operational risk. For the insurance industry, the biggest shakeup of recent times has been the European Union’s Solvency II, which came into effect at the start of 2016 and introduced to insurers some of the principles first seen in Basel II.
Solvency II imposes formal governance requirements, mandating roles such as a risk management function, an independent audit function, an actuarial function and a compliance function. The insurer’s processes for risk management should be set out in an Own Risk and Solvency Assessment.
In the US, insurers are governed by state rather than federal law, but large firms deemed to be systemically important financial institutions will come under federal jurisdiction as well.
“Regulators are putting a lot of pressure in terms of behaviour and having risk management tools similar to banking,” says Ortega. “Take the Australian Prudential Regulation Authority, for example – they are supervising insurers and banks very much alike when it comes to conduct and risk culture. The argument has always been that insurers are different and should be treated differently, but the fact is we are learning that banking tools are very useful – they just need to be tweaked for applicability.”
Meanwhile, regulators in other countries, including the UK and the Netherlands, have been leaning on insurers to address conduct risk. Behavioural standards should start right at the top of an organisation, say Hampson and Ortega, so those who lead a firm behave ethically and those further down the chain are motivated to do the same.
“The chief executive needs due process to promote, assess and monitor the required behaviour. It’s not enough to just state it; it needs process behind it to find out whether it is working,” says Hampson.