What insurers can learn from banks on scenario analysis for op risk management

When setting up scenario analysis, a key question is whether to use a uniform template that all business segments and legal entities must implement, or allow customisation depending on business type and location. One solution is a generic description of the scenarios, covering a broad spectrum of risks with room for interpretation. Within the assessment section of a scenario template, business and local particularities are then described and explicitly taken into account for the assessments.

As mentioned above, to allow for an adequate completeness of operational risk events, the Oric categorisation offers guidance. When mapping scenarios to the Oric classification on level two, generic scenario descriptions might overlap with other scenarios. For example, a scenario regarding outsourcing activities could include the risk of a service company defrauding the firm. However, this might well have been assessed in the generic external fraud scenario – firms need to be cautious to avoid double-counting and higher-than-necessary capital holdings. Boundary events should be stressed, presented and moderated accordingly.

As a scenario’s assessment is generally conducted through interviews and workshops with experts, any estimate is subjective in nature. The assessments are potentially biased due to overconfidence (especially surrounding assumptions regarding extreme ‘black swan’ events), misrepresentation (misjudged links between hypothetical events) and anchoring (tendency to use previous years’ assessments as a reference point). Facilitators must be aware of these aspects and must ensure sound routines and a transparent process to minimise any potential impact on the quality of scenario analysis.

When conducting the assessments, it is important to acknowledge that operational risk might also be regarded in other risk categories. For example, operational risk in processes such as reserving, underwriting or claims is often covered through loss triangulation, and a capital charge is already included in insurance risk. Facilitators must stress the possibility of operational risk being recognised within other risk categories and direct the experts accordingly. When in doubt, discussions should be held with relevant process owners and senior management.

When scenario analysis results are used for quantifying the operational risk capital charge, the experts’ estimates must be validated to ensure these assessments offer meaningful data. This validation can be conducted by using external or internal operational risk loss data. Companies might also chose to perform validation and plausibility checks with data from existing RCSAs (described above). Generally, a risk estimate from an RCSA that can be mapped to a scenario forms a lower bound for a scenario’s assessment – it can be awkward when an estimate within an RCSA indicates a much higher financial loss than a complex scenario where more than one risk is usually taken into account.

Correlation assumptions (between scenarios, business segments or legal entities) are another challenging topic. When assumptions regarding correlations are performed using only expert judgement, validation of the estimates is difficult. Generally, internal and external operational risk loss data as well as results from RCSAs can be used to verify correlation estimates. An alternative is for experts from other organisational units to challenge the initial assessments. However, when relying solely on expert judgement with potentially biased estimates, validation is a demanding task.

Supervisors must also keep the use test in mind: the Solvency II regulations state: “Insurance and reinsurance undertakings shall demonstrate that the internal model is widely used in and plays an important role in their system of governance” (Article 120).

A scenario analysis shows where operational risk issues and drivers are located within a company or a group, allowing the risk costs to be allocated according to cause. Additional information about measures is useful for implementing mitigation techniques. This requires an accurate mapping of risks in the scenario analysis but offers the benefit of addressing the use test.

Sven Regling is a compliance specialist at Frankfurt-based consultancy Gutmark, Radtke and Company. Michael Haackert is risk manager for operational risk at Munich Re in Munich. This article first appeared in Operational Risk and Regulation.