Key challenges in ensuring operational resilience - part one

UK insurers are facing tough new rules around ensuring their business is resilient to disruption. In part one this InsuranceERM/Crowe roundtable, experts discuss the regulations, the timescale for implementation, setting impact tolerances and working with suppliers

In March, the UK's financial regulators issued new rules and guidance around building operational resilience.

The requirements are demanding, and firms are focused on two key deadlines.

By 31 March 2022, firms must have identified their important business services (IBSs), i.e. a service that if disrupted could cause intolerable levels of harm to clients, or pose a financial stability risk. They must have set impact tolerances for the maximum tolerable disruption, and carried out "mapping" and scenario testing.

Mapping in this context means identifying and documenting the people, processes, technology, facilities and information resources necessary to deliver IBSs.

Firms must also have identified any vulnerabilities in their operational resilience.

The next deadline is "as soon as possible", but at least by March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each IBS.

InsuranceERM and Crowe brought together experts at UK insurers who are closely involved with the process of implementing the new rules, to discuss their thoughts on the regulations, the challenges they are facing and what value they are gaining from the exercise.

Christopher Cundy: What do you think of the final policy statements?

Ruth Middleton: The regulators have achieved a good degree of alignment, so there is no need for duplicative activity to meet the expectations of both regulators. But there are a couple of areas where I would like to understand a bit more: what constitutes a plausible but severe scenario? And what is required in the self-assessment documents which regulators can request after March 2022? There is guidance, but how do you bring it to life?

Feryal Nadeem: Scenario testing is always a difficult one – it's always left to you as a company to decide how much you should be doing. That might become clearer as we see how others are doing things.

Chris Day: The final policy statements were pretty aligned with the earlier guidance, which was a pleasant surprise. The key takeaway for me is there's much greater emphasis now on assuring the operational resilience of key third parties.

Rob Moorehead-Lane: Some of the things the regulators are asking firms to do will be incredibly difficult, if not potentially impossible. For example, if you have customer-facing systems in the cloud, you will have to ask your cloud-provider to explain exactly where you are in their list of priorities to restore service, if they were to go down at any point. How do you get the cloud provider to admit that? Frankly, insurers are probably low down their priority list, so how would you go to your board and say you're happy with no real explanation other than a service agreement?

Feryal Nadeem: You're absolutely right – and I don't know the answer and I don't think the regulator knows the answer. Another element is around third-party management: it actually goes deeper, into third-parties' third-parties, and I'm not sure we can get clarity all the way down the line.

Christopher Cundy: Is the timescale for implementation sufficient?

Chris Day: We began our journey about 12 months ago, so we're a good way through our first pass. We're aiming to have the bulk of our mapping assessment and testing done by March next year. But it will be different for different businesses.

Anna McNamara: The message coming through in the policy is that regulators expect this to evolve in time. They are not expecting everything to be perfect by March – and that makes it feel doable. We will continue to evolve over the three years to 2025.

Justin Elks: Certainly from what we have seen, the best and most impactful operational resilience programmes are iterative and evolutionary. And our experience is that firms are in very different places: there's a continuum, where some have virtually completed their preparations while others are really just at the start line.

Rob Moorehead-Lane: The other fact in understanding theoretical process-based decisions, is these are primarily paper-based processes and nobody is going to know for sure if they work until something goes wrong. I remember seeing one brilliantly written disaster recovery plan for a potential terrorist event. The first step was for the executive recovery team to contact the buildings facilities manager to assess the extent of the damage – but it turned out none of the team had the particular manager's phone number! That's why scenarios are so important.

Christopher Cundy: Let's move on to implementation challenges. One that is frequently discussed is setting impact tolerances. Why are they difficult?

Justin Elks: The consultation papers got a lot of feedback in this area. In the latest papers, regulators refined the definitions [of impact tolerances] and required companies to set time-based impact tolerances, supported by other metrics where appropriate. While regulators provided more guidance, including factors to help firms consider intolerable harm, you're right to say setting impact tolerances can be a challenge.

Rob Moorehead-Lane: I would say just pick a number, because there is zero rationale for coming up with a well-thought-out impact tolerance on your own. Let's take claims payments: unless your brokers and claims payment processors are all going to come up with the same impact tolerance or a set of tighter tolerances than yours, then your impact tolerance is worthless, as you will be relying on people, processes or systems from third-party suppliers who have a different impact tolerance regime to yours. Now multiply that by however many clients each of those third-party suppliers are contractually committed to.

Feryal Nadeem: We found setting impact tolerances difficult, partly because the dual regulation (PRA and FCA) means you have to look at it from two slightly different angles. What's coming out of the exercise is that rather than getting into the detail of setting a perfect impact tolerance, it's the work you do around that that's important, like asking deeper questions of third-party suppliers about their operational resilience.

Ruth Middleton: The other challenge is that it's a new concept for the business: it requires education on what impact tolerances are. On the third-party issues, one of the things to consider is how we can make use of contractual access and audit arrangements, and if we can rely on third-party mapping and testing.

Anna McNamara: I agree impact tolerances are difficult to come up with. Knowing how you would actually work around an operational issue almost has more value at this stage than setting an impact tolerance. We can refine impact tolerances as we go on and learn.

Christopher Cundy: How have you found the exercise of identifying important business services (IBSs)?

Rob Moorehead-Lane: Almost everything we've done before as an industry has been inwardly focused, whereas this is externally focused – and that has been a struggle for some people.

For example, if you ask heads of IT about what services they need up-and-running straightaway, they will generally be focused on key internal tier one systems such as general ledgers or policy admin systems. But if you talk to customers, they don't care about the general ledger – they think your website chat function or your phone lines are tier one priorities.

Another really tricky question is what does 'customer detriment' actually mean? And how long is it before you put customers into significant detriment? Customers come in a myriad of different definitions and so what may be detrimental to one is not for another.

Feryal Nadeem: We did a risk dashboard from a customer's point of view. The first draft had a lot of challenge from the executive committee because we realised it had things customers really didn't care about. This exercise is something that has really aided us in the operational resilience work.

Rob Moorehead-Lane: I wonder how many insurance entities will have their banks as critical third-party suppliers? Without banks, you can't make payments to customers. But I doubt any outsourcing team has access to and ability to manage their bank account as a critical supplier. It should now be part of most companies IBS regimes.

Christopher Cundy: Have you had difficulties defining the scope of the regulation?

Anna McNamara: Probably less than 10% of our business is the UK and around 60% comes from delegated authorities, so we have to think about where we stop in terms of considering issues in the UK versus the rest of the world, and how far we go into mapping coverholders, etc. Otherwise we would end up with thousands of important business services and putting ourselves at a commercial disadvantage in territories where operational resilience isn't a recognised requirement. We have reached a decision on what we are focusing on now, but if we need to, we will evolve it.

Christopher Cundy: How far do you go in understanding the operational resilience of your suppliers?

Chris Day: We have begun a dialogue with one of our major third-party suppliers about how we assess resilience. They are running an internal audit, which we are shaping with them. But do we, in turn, really dive into the key suppliers that are supporting the third-party? Pragmatism has to be the order of the day. We are not keeping on going down the layers.

Christopher Cundy: Have third-parties been receptive to this?

Chris Day: Our asset management partner was initially a bit reluctant and questioned whether they would really need to do this. But as we worked through the scenario testing, they learnt a great deal and saw the value. I think they also realised they were going to be asked similar questions by other clients. We have built a good relationship now, we're partnering together, and they are looking to see how they can develop a common approach.

Anna McNamara: The principle of suppliers coming up with a 'Kitemark', so we're not all running around asking the same questions about operational resilience, is a pragmatic and helpful way forward.

Feryal Nadeem: Our suppliers have had to answer the same questions from others; they are quite well rehearsed and that has been helpful. One of the areas we want to explore more is digging deeper into what they're doing. Third-party risk frameworks have existed for some time, but we can enhance the questioning and probe a bit more.

Christopher Cundy: What can you do if an irreplaceable supplier – for example the telephone network or AWS – collapses?

Rob Moorehead-Lane: It's not just those major infrastructure items which are significant issues for the insurance industry. If you look at the life and pensions business in the UK, there is a very significant amount of outsourcing and this is pretty much managed by three companies – Capita, Genpact and Diligenta.

Within the financial services industry, there are other significant concentrations like this behind the first-line entities.

This is one of the areas where trade associations need to step up and put pressure on the third-party suppliers to up their game – and also for regulators to be able to look through to the third-parties' documentation. Otherwise the costs of making these unregulated entities comply with this regime, through multiple requests from their clients will only drive up costs, which in the end will be borne by the consumer. So while trying to protect consumers from harm due to failures the regulators will be harming consumers through higher fees through the lifecycle of the pensions process.

One of the things I'm pushing for is to have our management think about how much of our business we give to any one of our suppliers. Should we be putting everything onto one cloud provider, or have multiple relationships? By having multiple providers, it's a lot easier to switch if one of your providers does goes down.

• The second part of this roundtable will be published next week. It will cover engagement with the business, assigning responsibilities for operational resilience, the role of the risk function and how the work will add value to the business.