In part two of this InsuranceERM/Crowe roundtable, experts discuss how they engage their business and assign responsibility for the UK's new rules on operational resilience. They also discuss the role of the risk function – and what value can be gained from the exercise
Justin Elks, managing director, UK ERM and insurance lead, Crowe
Chris Day, group head of operational resilience, Royal London
Ruth Middleton CRO, AIG Life (UK)
Feryal Nadeem, CRO, Utmost Life and Pensions
Anna McNamara, chief administrative officer, Tokio Marine Kiln
Robert Moorehead-Lane, CRO, Aspen Insurance Group
Chaired by Christopher Cundy, editor, InsuranceERM
Last month, InsuranceERM and Crowe brought together experts at UK insurers who are closely involved with the process of implementing the new rules and guidance on Building operational resilience (PS21/3).
Part one of our discussions covered the regulations, the timescale for implementation, setting impact tolerances and working with suppliers.
In this second part, we cover how risk teams engage with the business to develop their response, and the ongoing role of the risk function in ensuring operational resilience. We also examine how regulatory responsibilty is assigned, and how insurers gain value from their compliance work.
Christopher Cundy: How have you managed to engage the business?
Chris Day: I was pleasantly surprised by how supportive the business has been. The approach that works is getting representation from across the business. We put together a working group with passionate senior leaders from each business unit and they dedicated time. We built out the IBS [important business service] list pretty quickly. We pushed the ownership out to each business unit: each business unit has a resilience lead and service owners.
Feyral Nadeem: The engagement was good and it was well received. The business has appreciated the value. We didn't have end-to-end mappings for services before, and that has made people think about the connections across the business. The challenge has been finding the time.
Anna McNamara: The board and executive understand it. The difficulty is the opportunity cost: there are a lot of exciting projects going on and operational resilience doesn't always appeal to the people in the first line. Once you work with them on it, they do get interested.
Rob Moorhead-Lane: We have a Lloyd's platform and a company market: they have very different approaches to operational resilience. At Lloyd's we are obviously hugely reliant on Lloyd's systems and processes. In the company market we rely on other services, but there is overlap.
So we have the challenge of how our interaction with Lloyd's and the entities involved in the Lloyd's platform is evolving along with the operational resilience programme being guided by the Lloyd's Market Association and Lloyd's - while at the same time trying to build an operational resilience programme that is suitable for the company market platform as well.
The board would rightly ask why we have to do it separately, and the big global brokers will and do ask why we may send them multiple different versions of the same question! It's one of the areas where the various frameworks we are seeing emerge need to take into consideration and be written differently to allow companies to manage a single approach across platforms.
Christopher Cundy: Has it required a big effort on gathering new sources of data?
Chris Day: It has been a challenge for us, whether it is for others will depend on their start point. We have a five-pillar framework to map and assess the services, and for some pillars the data is great: we have a really good system of record for the people pillar, for example. The technology pillar has been challenging, in terms of understanding the technology stack and dealing with lots of different sources of data. We also have to have the tools in place to keep it evergreen, as the technology landscape is constantly evolving.
Justin Elks: Data is definitely a challenge. Boards don't want to delve into tons of detail but are increasingly asking for a dashboard that takes the data up a level and provides useful information - a 'helicopter view' on operational resilience, which they can use to inform their decision-making.
Christopher Cundy: Anna, you are the senior manager with responsibility for operational resilience in your company (the SMF24 holder). How do you get comfortable with signing this off for the regulator?
Anna McNamara: I'm part of the implementation programme: I feel much better if I'm sat in the workshops being able to ask questions and review the documents as we draft them. It's a learning exercise for me too. As we go through the next phase, I will feel more comfortable with standing back a bit, and the team bringing information to me.
Rob Moorehead-Lane: We don't have an SMF24 at present. We, as a number of companies within the market, don't have a traditional chief operating officer type role and there is no one person in the organisation that would be happy to take on responsibility because they do not have authority over all of the various functions across the business.
Ruth Middleton: It's the same in AIG Life.
Justin Elks: That's right – a number of insurers have this operating model. But how do you drive your activity without that role as a focus, without the risk function taking too much of a leading role?
Rob Moorehead-Lane: The Operational Resilience steering group consists of the various head of the required functions that are covered by the regime. We also meet with the local head of IT, which is one of the key roles in operational resilience, as well as the head of operations and outsourcing. But it's a shared responsibility across the executive committee.
It's one of the unintended consequences of regulators pushing for chief technology officers and others like outsourcing and procurement to have a seat at the top table. Regulators can't say these people all need to have a direct seat at the board table and direct reporting into the board and then say 'they should all sit underneath the SMF24' so we can hang this new piece of regulation on a single individual.
Christopher Cundy: How does the risk management function help ensure operational resilience? Will the risk function be doing anything different than before?
Rob Moorehead-Lane: I don't think there's a huge amount more responsibility for the risk function within an insurance firm. We're internal consultants and are there to help the firm develop their approaches to risk management.
One of the key areas where I believe we can help the business is around the development and implementation of scenario analysis: mainly as we in risk have been using these tools previously for other areas of risk management, as well as the fact we also have sight of all areas of the firm, knowledge of the internal controls framework and internal processes and can help facilitate in developing appropriate scenarios.
Feryal Nadeem: We've helped with bringing it to the right level. People can go into a lot of detail, when actually you need the bigger picture. Risk is able to give that big-picture view to the business.
Anna McNamara: We have a member of the risk management team in our working group and steering committee. Risk has a skill in asking the right questions to draw people out, and getting them back on course. The risk team are better at dealing with abstract concepts and they can help translate them for people in other functions.
Chris Day: Risk has been part of the team since day one. One of the things I appreciate is they do inject a level of challenge, and they maintain a pragmatic approach. Sometimes risk can be critical without getting involved in working through the challenge – but they have been equal member of the team and have driven debates around the definition of IBS and tolerance setting.
Christopher Cundy: Has the work on operational resilience changed your views on operational risk?
Rob Moorehead-Lane: I don't think operational resilience is about not falling over; it's about how quickly you can get back up when you do fall over. However, through the process now being conducted across the industry, it can change some of the control mechanisms firms might have in place for scenarios where operational risk events might occur.
This is, in my view, effectively what operational risk was supposed to be in pillar 2 of Solvency II and articulated through the Orsa, when it was drafted; it was about coming up with scenarios that could occur and would then have management actions attached to them. The problem was the industry and regulators then focused primarily on pillar 1 (capital), so every scenario was based on capital events and effective operational risk got booted into the long grass.
Justin Elks: Is the timing, post-Covid, conducive to doing operational resilience? Surely this is a great time to be working in operational risk and resilience?
Feryal Nadeem: Some people you talk to say 'we are operationally resilient, we've just been through a pandemic'. But you have to get across that this was just one event – there are lots of other events that might involve more than moving your IT kit home. The pandemic does make it a bit more real, and makes people think conceptual events can actually happen.
Ruth Middleton: We learnt quite a bit from the pandemic about how much disruption customers would tolerate, which we could build into the framework.
Christopher Cundy: How has this work on operational resilience had a positive impact on the business? Have you managed to find value in it?
Chris Day: Getting this right can potentially drive competitive advantage. When the pandemic first kicked in, we ran scenario test exercises that helped the business understand its resilience position and developed improvement actions. Having delivered those, we were able to stand-down some of our third-party business continuity arrangements, which has saved a significant sum.
Rob Moorehead-Lane: I think it is adding value to customers and it's got the industry to do what we should have been doing on operational risk – taking the next step and thinking about management actions and the 'what-ifs'.
It's also forcing the financial services sector to think about the customer. With the increasing move towards digitisation and the commoditisation of insurance as an industry, the firms that don't do this properly are going to be far behind in customer preparedness and satisfaction and when they do have incidents and are out of the game for too long, their customers are going to go elsewhere.
Justin Elks: Post-Covid, I think customers increasingly accept that companies are going to have these types of disruptions. The key thing they will care about is how well your organisation responds when they happen. That will increasingly drive loyalty and selection.
Anna McNamara: When you do something, learn something new, and do something differently as a result, there is value in it. We know who our key outsourced suppliers are, but through this exercise we have identified smaller suppliers that can also impact customers.
Feryal Nadeem: Customers want you to deal with issues quickly otherwise they will leave. The sooner businesses can see it from that lens, rather than the regulatory lens, the better. Covid had a big impact on services and the next time there is such an event, I'm not sure customers will be that patient.
Ruth Middleton: One of the benefits is that it's a framework that will evolve, grow and flex as we learn and as the business evolves. It's pulling together everything businesses should be – and are – doing, but in a more holistic manner.
Part one of this roundtable can be read here.