What insurers can learn from banks on scenario analysis for op risk management

With the advent of Solvency II, insurance and reinsurance companies must prudently and proactively manage operational risk and allocate a capital charge for it. To assess and quantify the operational risk capital charge through an internal model, the industry frequently uses scenario analysis. This powerful tool is pragmatic, implementable and cost-effective. Scenario analysis fosters out-of-the-box thinking to efficiently address risks in a world of known and unknown unknowns.

Scenario analysis studies the impact of extreme loss events on a firm’s business and financial position. Scenarios present plausible future events by considering risks that have a low frequency (such as once every 100 years) but a high severity (comparable to a company’s expected net income). The analysis helps firms to anticipate, manage and report their exposure to operational risk events and quantify the operational risk capital charge.

The concept of scenario analysis for operational risk is not new to the financial industry. Especially in the banking sector, scenario analysis has been widely used for many years – often in response to regulatory requirements such as the Basel II capital adequacy rules. If banks are experienced with scenario analysis, can the insurance sector tap into and benefit from this knowledge? There are similarities between the sectors. Roughly speaking, primary insurance is comparable to retail banking. Both have mass business with private customers and a high number of small transactions, along with regulations protecting clients. The reinsurance industry has a different pattern of business. The volume per transaction is more comparable to that of investment banks. In terms of intraday trading, computer failures and system outages are not as relevant as for primary insurers or commercial banks (excluding their effects on a reinsurer’s asset manager).

When it comes to operational risk, the insurance and banking businesses are comparable, but the weighting and focus of operational risk are different. These differences also hold true within the insurance sector where the differences between primary insurance and reinsurance must be incorporated into an analysis. However, the process of scenario analysis should not differ significantly from the rest of the financial industry. Lessons learned and experience from the banking sector should be used in the insurance world.

A scenario analysis can be performed on different levels – either at group, business segment or legal entity level. From the Solvency II perspective, a capital charge for operational risk has to be calculated for the group and for legal entities within the European Union. However, it can be useful to perform a scenario analysis at the business segment level as well.

There is no right or wrong number of scenarios. A good starting point is the number of operational risk event categories according to the Operational Risk Consortium (Oric) in London, which are similar to the Basel II event categorisation used in banks. At a minimum, insurers should aim to cover all 20 categories on level two of the Oric event classification. When these 20 scenarios are applied across several business segments and legal entities, the number of assessments increases and the scope is increased accordingly.

It is important to stress that, as in the banking sector, scenario analysis is not the only method that can be used for operational risk measurement and management in the insurance and reinsurance world. In the financial industry, risk control self-assessments (RCSAs) and operational risk loss data are also used, along with business environment and internal control factors (BEICF) and key risk indicators (KRIs).

RCSAs are often performed within a company’s internal control system and address operational risk in a more qualitative manner. The assessments are typically granular and follow a bottom-up approach to identify operational risk comprehensively. The assessments focus on measures, are conducted on a single risk basis and are especially used for reporting as well as risk steering. The challenge here is that the assessments are often not disjunctive, which can lead to an excessive operational risk charge when the data is used as model input.