Assessing likely losses from operational risk is an improving area but still subject to many imponderables. So building a strong control framework and the right culture to identify potential problems is equally important for re/insurers, concluded participants in a recent InsuranceERM roundtable in collaboration with Thomson Reuters Accelus
John Joyce, qualitative risk manager, Allianz Insurance
George Scott, general counsel and chief risk officer, Pacific Life Re
Colin Tester, senior operational risk manager, Axa Insurance
Ellen Davis, director, workflow proposition marketing, Thomson Reuters
Maurits Le Poole, major account director, Thomson Reuters
Christopher Cundy, editor, InsuranceERM
Peter Field, content director, InsuranceERM (chairman)
Field: How does your firm quantify operational risk?
Joyce: Our stakeholders -- management, the regulators and our group management -- stress the importance of quantifying operational risk to make it meaningful, which I fully support. However, operational risk is first and foremost about control and whether it is effective or not. Any model-based capital number that is calculated for operational risk is an estimate as it will be based on assumptions, be they model/methodology-based or data-related -- data which you may or may not have.
Scott: That is true. All our capital numbers are estimates. None of them is gospel. I think we all know it is not the right number, but it is our best estimate, what we think is appropriate.
The real challenge is, when you improve your controls, how do you reflect that in your operational risk capital? Do you wait until you see the fluctuation in operational risk results going down? Or, do you say, 'Our controls are better now'? It is so tempting to look at your loss events and say, 'That won't happen again.' You have to be disciplined about not taking credit for improvements until you have really seen them coming through.
Field: You aim for the 3% capital weighting on the Solvency II standard formula?
Scott: I think it comes out at about 4% under that rather complicated formula.
Cundy: What kind of scenarios do you model?
Joyce: From a population of approximately 200 scenarios, we model about 10%.
Cundy: But what you are looking for is presumably interactions of different operational risks?
Joyce: Exactly, and there is a very lengthy debate with our subject-matter experts within the business to make sure that we are looking at the scenarios that have the potential for the largest impact. We had a good idea about 18 months ago what the worst case might look like from a regulatory point of view, although the change in the regulatory framework in the UK is requiring us to challenge our assumptions and review our approach.
Pacific Life Re: "Every risk has a name on it"
"We are a pure life reinsurer, so I think that probably makes our approach to operational risk quite different. We have relatively few employees and relatively few locations, and all our business is reinsurance.
"A big factor in our operational risk is our clients' operational risk. The framework we have is fairly basic. We operate a risk register. The key is that we allocate risks to individuals, not to groups or teams or committees.
"Every risk has a name by it.
"We use the standard formula as a basis for quantifying operational risk, but we have quite a rich vein of loss events built up over the last seven years or so that we use to benchmark the standard formula, just to check that it remains appropriate.
"The loss event process is an important part of our operational risk framework. It is not about blaming people -- the difficulty is getting people to be open about things that have gone wrong. You have to learn from the mistakes and to make sure they don't happen again.
"Because of our size, we don't have a separate operational risk team. As CRO I take overall responsibility for operational risk, and the risk management committee reviews operational risks as they arise. The biggest risks are valuation and pricing, which outstrip all the others by a big margin.
"Quantifying the risk for the individuals involved really helps to focus the mind, because, when you say, 'This is how much it is costing from a capital perspective,' it really does give an incentive for people to improve their controls."
Davis: How do you pick the scenarios?
Joyce: We start off with the standard Basel level two 33 standard scenarios and ask our business units to look at each of them and identify which are the most relevant to them.
Then we ask them to identify three parameters for each scenario, which we sense-check and validate against our own expert judgement, and also against our own risk event data, data that we source from either within the group, from the Operational Risk Consortium (ORIC) or from other external databases of public risk events.
Having validated the scenarios, we choose the most extreme scenarios and we make sure that the scenarios have not already been captured elsewhere within other elements of the risk model.
Field: Your operational risk goes up to board level?
Joyce: Yes, we have a structured risk appetite framework for enterprise risk management. Operational risk sits within that. We present operational risks to our business units at a more granular level of detail for people to work with, understand and use, but at board level the information becomes more tailored to focus on the key risk elements – be that on an impact or accumulated basis.
Scott: The decisions about appropriate controls need to be taken on the front line. The board does not know that the right number for operational risk is "x". You can look at how much it has gone up or down or how the loss events have got better or worse. But it is all about proportionality. Nobody wants to take operational risk. The question is, how much does it cost to eliminate the risk?
It is quite feasible to have an excessive number of controls, which get in the way of doing business, or just take your eye off the ball from the real thing.
Le Poole: So, how do you find that balance?
Scott: You have to let the people who are experienced in the particular role they're in make those decisions.
We do a self-certification process every six months, and a more detailed review process every other year. We also carry out high-level testing just to check that controls that people say are operating really are operating.
Joyce: Do you have an internal audit department?
Scott: Yes. Internal audit will do much more in-depth testing, and we wouldn't carry out a risk management review within a particular department the same year they're being audited by internal audit.
Joyce: We do something very similar. Part of the ongoing review of our ERM framework looks at consolidating the control framework, in order to assess elements of duplication and inefficiency that may have developed over time.
Scott: Yes. There are definite weaknesses in excessive controls.
Allianz Insurance: "Our largest risk will always be our insurance risk"
"We are an operating entity of the Allianz group, a large global organisation which has been developing an ERM framework since 2004.
"Operational risk is important to us -- in that it is a necessary consequence of conducting our business activities -- but it is not our largest risk, which, as a P&C insurer, will always be our insurance risk.
"Our culture encourages people to actively consider risk and control when undertaking their activity. Like Colin [Tester at Axa Insurance], we have similar discussions with our group and BaFin, the group's regulator. Group may suggest that we follow their regulator's approach, but we must always balance that against our regulatory framework.
"The key to a joined-up approach with the group is to evidence that discussion and that ongoing liaison with the group -- this could relate to any risk type."
Davis: You're saying people don't take responsibility if your control framework is too robust?
Scott: Yes. Not being a career risk manager, I just think most risk management is common sense and good business practice. Before risk management was "invented", people were doing it. The danger is people think, 'I don't need to do risk management anymore, because there's that department called risk management.'
Joyce: Yes, it is about ownership.
Field: Is there anything meaningful you can model?
Tester: I think we find out a lot through the modelling process and through the gathering of data for that. It is a key point in our year where we pull together a lot of up-to-date information, so we can easily identify risks where controls being more effective would directly impact capital and – crucially – the likelihood of something going wrong in the first place.
Davis: Are you able to actually evidence that direct relationship between better controls and the use of your capital?
Tester: Yes. With some risks we model we use a "control scorecard." We look at various elements of the control environment and work with the right subject-matter expert to score the effectiveness of controls based on the inputs we have.
Scoring something "medium" rather than "high" has a direct impact on the scorecard result which factors into the scenario's frequency assessment. So you can see a very clear smoking gun there. But, of course, we are always talking about something that is never quite going to happen the way you've modelled it.
Field: Is operational risk the one area where perhaps people are reluctant to say they need less capital?
Tester: We have seen a reduction in the last three or four years, but this is down to an improved risk culture and process maturity. People see the link between, say, storing data unnecessarily and operational risk capital. So, I think we have less unnecessary risk than we may have had in previous years, but we are very clear that reduction in the capital requirement cannot be a key driver -- it is almost a coincidental output of the process.
Field: But the databases of loss events do not go back that far, do they?
Tester: No, and especially in our environment. Not only have some scenarios not happened to us before, but they have not happened anywhere in the industry before.
Field: Or have not been recorded.
Axa Insurance: Building a robust control framework
"We are implementing a group operational risk framework, and doing so by means of our own local UK operational risk policy. The group is applying for internal model use in Solvency II, so it is not a standard formula situation.
"The core model is hot on risk identifi- cation; then the measure- ment and quantifi- cation, monitoring and reporting; but less so historically on the control area. That is something we are doing a lot of work on this year -- to build a really robust control framework.
"You can quite often have a situation where something has been developed by the group to satisfy a European regulator, and we have to explain to the UK regulator why we are satisfied that it is the correct approach. Saying 'because someone else says so,' isn't good enough -- we must ensure that we have the rationale for all those key assumptions. "
Tester: The idea that something is better than it was last year because you know more about it now is not sustainable. At some point you need to reach a benchmark of expertise.
Joyce: A key area where we can add value to the risk management approach for operational risk from my perspective is analysis of the crystallised losses or the near-miss events – with a greater focus on near misses as your risk management framework and culture matures.
A recent study has suggested that the relationship between near misses and loss events is something like four to one, so, if you can manage your near misses, you will have a greater impact on reducing your actual losses.
This was one of the key findings identified in a study which ORIC published in the summer of 2013 (Creating value from risk events -- Leading practices in operational risk event reporting, analysis and investigation, learning and management.)
Davis: How do you incentivise people to report near misses and hold their hands up?
Joyce: One element is to appeal to their conscience. However, it is about sharing and about learning from experience to avoid risk events crystallising and suffering losses. If you can identify and communicate the clear relationship between near misses, loss prevention and target achievement, this will provide a very compelling incentive. So, over the course of time, a maturity and transparency around risk management becomes more obvious and becomes embedded in your business.
This article is one of three in series about operational risk. The others are:
The best approaches to monitoring and managing operational risk (6 December 2013), covering basic definitions, overlap with conduct and reputational risk, 'never events' and event reporting, op risk frameworks and Solvency II
Managing operational risk is about good business practice (30 January 2014), covering emerging operational risks, improvements to loss data, modelling