Managing operational risk is about good business practice

30 January 2014

However much attention is devoted to loss data, modelling, KRIs, risk appetite and other operational risk issues, most of what an insurer needs to do in this area should already be part of the way it runs its business. This theme ran through the second part of the recent InsuranceERM roundtable in collaboration with Thomson Reuters Accelus

Participants

John Joyce, qualitative risk manager, Allianz Insurance
George Scott, general counsel and chief risk officer, Pacific Life Re
Colin Tester, senior operational risk manager, Axa Insurance
Ellen Davis, director, workflow proposition marketing, Thomson Reuters
Maurits Le Poole, major account director, Thomson Reuters
Christopher Cundy, editor, InsuranceERM
Peter Field, content director, InsuranceERM (chairman)

Field: Is it possible to identify emerging operational risks?

Joyce: Emerging risks are by any definition uncertain in definition, character, impact and frequency – if they were more certain they would have "emerged." Operational risks are typically well understood, and are going to happen relatively frequently, although the larger risks, with a greater impact, are relatively infrequent.

John Joyce, AllianzWhatever method you use for identifying operational risk – workshop-based, questionnaire-based – you should allow respondents an opportunity to consider risks not already identified (with reference to standard catalogues for example). This may identify new – possibly emerging risks – but is more likely to provide a different scenario for an existing risk.

Other methods – for example crowdsourcing – have proved a more effective way of identifying emerging risks, particularly if you involve individuals throughout the insurance value chain. However, my experience suggests that the majority of emerging risks will be insurance-related and not operational in nature.

Scott: I think you should just look at emerging risk as "blue-sky thinking", without putting any restrictions on it. But the kinds of things that come out are not operational risks; they tend to be more of an insurance-risk nature. I don't think fundamentally different operational risks "emerge."

Field: What key risk indicators might you use to identify specific operational risks?

Joyce: Particularly interesting for me is claims leakage. There can be many causes of claims leakage – skill, competence, T&Cs, understanding of the policy – and they are all pretty much operational. Across the industry we estimate, evaluate and manage it in a slightly different way, but it can be an indicator of how effective processes are or an indicator of how effective those processes could be.

Field: How often would you be looking at those things?

Joyce: The MI [management information] gets produced and is reviewed on a regular basis.

Tester: Claims leakage is an archetypal operational risk. I have found the rate of claims leakage can often tell you how things were, rather than how things are or are going to be, and that is the challenge. So it is really about understanding from your firm's experience what actually causes claims leakage to rise, and then having an indicator around those things.

"We have a fairly high threshold for loss events before we record them, because trying to record everything is impossible. And at the lower level it is bound to be far more inconsistent." George Scott, Pacific Life Re

Scott: Isn't this another area where, if you reflect the reality that operational risk management is about good business practice, most of the KRIs [key risk indicators] are in fact in the normal strategic MI for the various departments? In underwriting and claims, that might be their caseload; in operations, the status of processing statements of account; in HR, the turnover levels; in legal and compliance, what are the key issues you are dealing with?

So we do not label those kinds of indicators as operational risks; they are just part of business MI. Our only pure operational risk data is the loss event side.

Le Poole: How do you pull that all together?

Scott: We have two MI packs; we have a business pack which we call strategic MI and which gets reviewed monthly, and we have a quarterly risk MI pack. Both go to the board, but they are both looked at in more detail at a management level. It is looked at with all the department heads there, so then you get to see the interactions.

Colin Tester, AxaTester: The size of the business and the shifting sources of data can be reporting challenges. With operational risk, monitoring and reporting of risk information relies less on a data warehouse and more on an 'MI supermarket' – unreliable labelling and, just when you know what aisle to go to, they move it around again. The one thing that never changes is that things change all the time.

Priorities for 2014

Field: What will you be prioritising over the next year in the operational risk area?

Joyce: One objective for the next 12-18 months is to harmonise the risk and control assessment processes to remove duplication of effort and ensure that the management are getting a view or risk that is consistent, comprehensive and forward looking.

Tester: We are putting a lot of focus on our control environment and its effectiveness. Alongside this, we are making sure that we apply the best possible operational risk practice to conduct risk, and enhancing the understanding and provision of our key risk indicators to provide maximum insight to the business.

Scott: One thing we do need to keep on top of is training – to maintain an appropriate focus on risk management, to maintain the right culture, to keep pushing out the message that loss event reporting is not about blaming people – all this kind of sustaining activity.

Loss data

Field: Can the loss data be improved in any way?

Joyce: You cannot get a good risk event data capture process in place without the right level of culture – which is based on common objectives, understanding and accountability.

It is not about having enough data points in order to put into a model to make the model more robust. First and foremost, this is about learning from your experience and sharing where things have gone wrong or could have gone wrong. Where possible this sharing of information should be both internal and external to the organisation.

"Claims leakage can be an indicator of how effective processes are or an indicator of how effective those processes could be." John Joyce, Allianz

Field: How important is the modelling element in operational risk management?

Scott: I think a small part of the value of the process is the modelling.  You use the modelling you have done on your loss data as a sense-check. You do not tend to be surprised by the results of the modelling. You have got a pretty good instinctive feel for the kind of range of outcomes to expect.

Maurits Le Poole, Thomson ReutersTester: Yes, the modelling benefit of loss data is at least third in my mind. The first thing obviously is to understand the loss. On another quantitative level, loss data can be a valid lagging key risk indicator that you need to make sure you have integrated into that process as well.  Somewhere further down the line comes the input into the scenarios.

Joyce: Without logging the loss data accurately in the first instance, you can get more noise around the core description. If it is a public dataset and is therefore anonymised, the level of understanding of risk event causes is diminished.

Scott: Yes, you do not know how the anonymised company's processes work and you do not really know what their risks are or what their underlying business is.  There might be some factor which makes the data completely irrelevant to you.

Joyce: Exactly, so you can use the event as an indication of something that might happen to you and as a sense check to your existing experience, but you cannot use it as the only basis for a decision.

Ellen Davis, Thomson ReutersTester: I think one of the key uses is where you are able to say, 'Look, this kind of thing CAN happen, because here is an example.'  I always like quoting in training or awareness sessions the biggest ever ORIC-captured loss – £811m for a fat finger incident. That kind of thing always grabs attention.

Field: How do you keep on top of all the data?

Scott: One key to trying to maintain integrity of the data is not being too ambitious in how much data you keep. We have a fairly high threshold for loss events before we record them, because trying to record everything is, obviously, impossible.  And at the lower level it is bound to be far more inconsistent, first of all, in whether you see that as an operational loss event in the first place and, secondly, whether you bother to report it.

"I like quoting the biggest ever ORIC-captured loss – £811m for a fat finger incident. That always grabs attention." Colin Tester, Axa

Focusing your attention on the bigger losses, which are the material ones, both from a modelling point of view and from the point of view of designing controls and keeping losses down, is probably easier to do in a wholesale operation than in a retail operation, where you can have multiple repetitions of the same error causing material loss.

George Scott, Pacific Life ReJoyce: We have a flexible approach to thresholds according to the business types within Allianz Group. Some business units have chosen a lower threshold – to go from zero – because they have embraced the learning capacity from risk event data capture and analysis.

Scott: I would rather call that a near miss and say, because this could be multiplied many times; then, rather than just saying the threshold is £10,000, say, 'How bad could this get?' That is the more important measure.

Field: Do you have a zero appetite for anything?

Scott: Reputational risk is the one which we have lowest appetite for.  Some people do not include it in operational risk. We would say that it is operational risk.

But even then there is not an unlimited budget that would be implied by "zero tolerance".  If you could reduce the risk from infinitesimally small to slightly smaller than that, but it would cost you £100m, you would not do it, and that would be the right decision. You can spend any amount of money or time to try reducing the risk to zero but you cannot eliminate it.

Further reading

This article is one of three in series about operational risk. The others are:

The best approaches to monitoring and managing operational risk (6 December 2013), covering basic definitions, overlap with conduct and reputational risk, 'never events' and event reporting, op risk frameworks and  Solvency II

Operational risk: is quantification or control more critical? (22 January 2014), covering quantifying op risk, risk frameworks, capital charges and reporting