Operational risk cuts across all aspects of insurers' businesses and developing a full picture can be challenging. In InsuranceERM's roundtable discussion in collaboration with Thomson Reuters Accelus, experts shared their views on the basic definitions, overlaps with conduct and reputational risk, risk frameworks and assessments, loss reporting and modelling.
Philippa Herz, group head of risk, Bupa
Andrew Pryde, chief risk officer, Beazley
Pierce Young, Head of operational risk, Brit Insurance
Maurits Le Poole, major account director, Thomson Reuters Accelus
Ellen Davis, workflow proposition marketing director, Thomson Reuters Accelus
Christopher Cundy, editor, InsuranceERM
Chaired by Peter Field, content director, InsuranceERM
Peter Field: What is operational risk?
Philippa Herz: I consider operational risk to be all of those risks that are about failure of your people, your processes and your systems.
Peter Field: The Basel definition?
Philippa Herz: Yes.
Andrew Pryde: I think most people use that definition. The only area of discussion for us was whether you categorise operational risk within each inherent risk or whether you have operational risk as a separate category. We have opted for the latter.
For example, if we insure ships and assume one total loss a year but observe nine, then that is inherent insurance risk. If, however our hull underwriters operate outside their business plan, for example insuring oil rigs or property risks, then that would be insurance operational risk.
Ellen Davis: So you see conduct risk as a form of operational risk?
Andrew Pryde: I see conduct risk much wider than that. We are testing which parts of our risk register have a conduct element and believe it is wider than operational risk. This means that we may end up with two views of the risk register; a prudential view and a conduct view.
For the prudential view, we think about risk appetite in terms of earnings volatility and making sure that we have sufficient resources. However, for the conduct view we believe it is more about the organisation's behaviour.
Maurits Le Poole: How would you categorise conduct risk and how do you come up with some kind of way of identifying what is a conduct risk and what is not?
Andrew Pryde: We believe it is about an organisation's behaviour, particular in considering the customer's perspective. For example, thinking about whether a product is designed appropriately and whether it is being sold to the right consumers.
For the prudential view, we think about risk appetite in terms of earnings volatility and making sure that we have sufficient resources. However, for the conduct view we believe it is more about the organisation's behaviour." Andrew Pryde,Beazley
Ellen Davis: Do you try to quantify reputational risk at all?
Philippa Herz: There are two aspects to consider: one is the potential sources of reputational risk, and these will encompass pretty much all of your other risk categories because any failure to manage your exposures as well as your competition is a source of reputational risk.
The other is the issue of how well you deal with reputational risk events if something happens. That is almost more important.
Andrew Pryde: Reputational risk is one of our second tier risk categories. Once a year we look back and assess whether reputational risk has increased, decreased or stayed the same. "How are people resolving it?" and "How do we respond to it?" are critical questions.
Philippa Herz: If you do not have a solid flow of information as things happen – and things that people might not in the first instance think are necessarily very significant events – then you may well find that you are on the back foot if you have a reputational risk event.
Ellen Davis: Do you have an operational risk taxonomy that you use to classify or eliminate things?
Andrew Pryde: From an operational perspective ours is built around functions: which parts of the organisation are creating the operational risk? That makes it the most intuitive for a board member: they know which area and they also know who is responsible for resolving it.
Philippa Herz: Bupa is first and foremost a healthcare group, so our focus is very firmly on the clinical risk outcomes, the conduct risk outcomes and the financial performance. Operational risk statements would be part of the supporting elements of that
We have certain clinical outcomes that we refer to as "never events," where you genuinely have a zero tolerance, for example,"wrong-site surgery," where the wrong leg is amputated.
Andrew Pryde: On the areas where you have zero appetite or never events, is there a risk that the business ends up spending too much time to ensure that those events do not happen? We have always struggled internally with the concept of zero appetite. It is difficult to ensure that something never happens and you can waste a lot of time and effort trying.
Philippa Herz: One of the fundamentals here is actually knowing what is going on. When you run many care homes like we do, you have to make sure that you have a good system of information collection and that can be a challenge.
"We set appetite for operational risk using key risk indicators for each business area such IT and HR, and find out what operational risk means for them and what their appetite is." Pierce Young, Brit Insurance
Maurits Le Poole: Do you have staff recording events or near misses?
Philippa Herz: It is a mixture of having the right reporting mechanisms, the right training, and the right governance structures so that we have management round the table having these discussions frequently.
Pierce Young: When you are setting appetite for operational risk it is not like setting appetite around underwriting or investment risk. Those types of risk probably generate a return and people can see the return being created for the business. Operational risk does not provide a return to the business in the way that other risks might.
We set appetite for operational risk using key risk indicators for each business area such IT and HR, and find out what operational risk means for them and what their appetite is in terms of turnover and staff absence rates, for example.
Peter Field: Do you weight operational risks according to which part of the business they might occur in?
Pierce Young: We set operational risk against the appetite at an overall capital level and then translate that into risk indicators to see how it impacts the rest of the organisation at a lower level.
Andrew Pryde: An important principle in our framework is that where we have a similar risk appetite in different areas, failures in controls must flag when similar things happen. Without that consistency, I would not be able to report clearly to the board as the status of the control environment would be difficult to interpret.
Ellen Davis: How do you structure your risk assessment process?
Andrew Pryde: We have risk assessment and we have control assessment. Risk assessments are performed twice a year and are when executive risk owners identify changes occurring to the risk environment, including new and emerging risk.
Control assessments are performed monthly and are when the statuses of controls are signed off by the business in our online system. The board need to be aware of the status of both the risk and control environments and it is easy to confuse the two or focus on just one of them.
Philippa Herz: We have a quarterly risk assessment. This is looking at categories of risk for each business unit and looking at where they are against that risk. Are they in or out of appetite? Are they expecting to come back into appetite within six months? Do they think that that risk is high impact, high likelihood for them?
We also maintain a 'top risks list,' which is a short list of essentially the biggest residual risks for the organisation. It is the list of risks that you would expect your senior management or your board to be most concerned with and discussing. The way that those are phrased is not the same as our risk categorisation; they will be more thematic, they may be more contemporaneous.
Pierce Young: We do formal quarterly risk and control assessments. We will use a combination of a top-down and a bottom-up approach. So the individual risk control owners report up through various functional line managers and the risk committees will overlay their own assessment on this as well, based on the information they are getting, and that will be passed down. So we go through this circular process where everybody is getting feedback in terms of what the risk and control owners think and whether that matches up to the view of senior executives, and we refine our assessments based on that.
Philippa Herz: When you report to your board risk committee, what sort of a scale do you use? Do you use anything really sophisticated or do you use impact likelihood?
"We have a quarterly risk assessment. This is looking at categories of risk for each business unit and looking at where they are against that risk. Are they in or out of appetite? Are they expecting to come back into appetite within six months?" Philippa Herz, Bupa
Pierce Young: It depends on how we are reporting it, because the way we classify different types of risk information, we would either be reporting appetite at a capital level, or key risk indicators, key control indicators or maybe to the detailed level of the inherent and residual risk score as well.
Philippa Herz: So if you are reporting, say, your top residual risks, would you use a scale?
Pierce Young: I guess it would be the standard impact likelihood assessment scale.
Philippa Herz: Just numbers, like a one to five?
Pierce Young: Yes, we score them.
Andrew Pryde: We report the view from the business for each of the 57 second-tier categories of risk. So we do not focus on the top ten because our board want to see the complete universe. If you focus on the top ten, it is usually the eleventh that causes a problem. Our main report is a consolidated assurance report which provides, for each of the 57 categories, the view from the business using a red-amber-green scale, the views from risk management, from compliance, from internal audit and any entries on the risk incident log. It also highlights where residual risk has increased above risk appetite.
Peter Field: How does operational risk relate to the overall enterprise risk management of the organisation?
Andrew Pryde: Operational risk is one of eight risk categories and it is handled in exactly the same way. It is much easier to have one framework that the whole organisation understands. I provided an example on the insurance side earlier but the same principle applies to other risk categories. For example, in the asset risk category the inherent risk might include movements in interest rates or default probabilities and the operational risk would be the investment managers operating outside their investment mandate.
Peter Field: You belong to ORIC (the Operational Risk Consortium)?
Andrew Pryde: Yes. This means that we report risk incident information to ORIC and in return we receive anonymous risk incident data previously submitted by other organisations. We use that information in a number of ways. For example, we use it to help validate the parameterisation of our internal model and we use it to scenario test how our existing control environment would respond if the events that have happened to others were to happen to us.
Philippa Herz: Culture is the key to all of it. You can have all the processes that you like but, if you do not have the culture, then those processes are unlikely to be robust because you are not going to have a true reporting of risk.
Andrew Pryde: We focus on who in the organisation can either create or mitigate operational risk, which splits into 19 areas across the business of people making mistakes, from the underwriters and claims managers through to finance, IT and HR.
People seem to think that it is difficult to quantify operational risk. However, I focus on how we can express it in terms that the business thinks about risk. For example, within the category of disaster recovery, we did some maths to see how much profit is generated on average each day. This then helped us to identify how many days we can be without a system before we hit our risk appetite. It worked out at about five days and that gave the IT team something tangible to work with when they are thinking of how sophisticated our response should be, for example how much to spend on infrastructure.
Ellen Davis: How do you encourage people to report losses? Often people do not want to do this because they think their capital will go up or they will get their wrists slapped.
Andrew Pryde: I think it is through demonstrating that that will not happen. After a number of years of reporting incidents and reporters seeing that they are not blamed, people trust the process. Actually, it is seen as something positive in our organisation as it demonstrates that people are on top of things when they don't go to plan.
Philippa Herz: It works well where the emphasis is placed on making sure that events or potential events are reported promptly. If you have got a culture where people only want to give good news messages, are reporting everything green and do not want to talk about their losses, then you are way off, and that is what you have to address.
If you look at a long-term business, often things that are uncovered happened well before the person who is currently in the responsible role finds out. In the incidents reporting of, say, a life insurance company, some of these events may relate to business that was sold over 10 years ago.
Pierce Young: As a business, we also link loss event reporting to the wider change initiative programme. Where losses are identified, these will be fed into the change prioritisation process so the underlying causes can be addressed in a coordinated manner.
Andrew Pryde: Again, it can look quite good for somebody to show that they have spotted an issue and have resolved it, so that is a good message.
Modelling operational risk
Peter Field: How do you approach modelling operational risk?
Philippa Herz: We consider scenarios and derive input data from those and then that is modelled using statistical distributions.
Pierce Young: We are quite similar; we start with the risk register, sit down with the business subject matter expert and say, 'At the extreme, what could really go wrong with some of these risks, how bad could it get and what would the likely financial impact be?'
Reverse stress testing
Andrew Pryde: When we started doing reverse stress-testing a few years ago – the concept of what would have to happen to make your company unviable – our focus was on the one-off major events. But our thinking has evolved to consider the confluence of multiple smaller events, perhaps over multiple years, as that can also erode stakeholder confidence.
Philippa Herz: It is not just the event, it is how you recover from it and how quickly you recover from it. In the event of a crisis, you may benefit from stakeholder sympathy for a period, but if you cannot get your act together in the longer term it starts raising questions about your whole level of controls and how your business is run.
Peter Field: Has Solvency II made any difference to the way you manage operational risk?
Pierce Young: It has given risk management a lot more focus and naturally that has spread down into operational risk as well.
Philippa Herz: With some Solvency II programmes a lot of the development work was done in tick‑box mode without really evolving the business at the same time with it. Now firms are trying to develop their business risk cultures to catch up with that.
Ellen Davis: So, from more of a compliance exercise to making it a risk process?
Philippa Herz: Yes.
Andrew Pryde: From our perspective, what Solvency II changed from an operational perspective was probably more evidencing and documentation.
Peter Field: But has it made you do things you would not have done otherwise?
Andrew Pryde: No.
Philippa Herz: I think it depends where organisations started from.
"From our perspective, what Solvency II changed from an operational perspective was probably more evidencing and documentation." Andrew Pryde, Beazley
Peter Field: But would you be allocating more or less capital to this area than you would have done without Solvency II?
Philippa Herz: I think there is certainly more focus on operational risk capital but whether that has resulted in more being held I do not know.
Christopher Cundy: Is there much you can do to reduce the capital charge relating to operational risk?
Andrew Pryde: I suppose it depends where you start from! Logically, if you improve your control environments and you can demonstrate that you have done this, then you would think that this would lead to a lower capital charge because it is a safer organisation.
Pierce Young: I think there is probably going to be a base level of operational risk relating to this and it is how far above that base you are operating at.
Ellen Davis: I know that in banking a lot of times the op risk guys get frustrated because even if they go and invest in controls, they are always going to get this layer of capital inserted. Are the insurance regulators more willing to say, 'Well, you've invested in controls, therefore your capital can go down'?
Philippa Herz: You cannot take credit for good intentions. You can't say, 'Well, we're putting these extra controls in place, we've trained people so we will have lower losses in the future.' You need to have achieved the end result, you need to have the track record.
Maurits Le Poole: How do you create forward-looking management information?
Andrew Pryde: Our main tool is a five-year business plan. All elements of the P&L are modelled so that we can understand where the business is heading and then we scenario test it. For example: what would happen if we had a major catastrophe or if there were restrictions on capital availability?
Philippa Herz: I think you have to have a combination of scenario testing, then understanding what is driving your risks and having the right KRIs [key risk indicators] around that.
Communicating with the board
Ellen Davis: How do you get the message on operational risk across to the board? Do you have to provide a lot of education on op risk for them?
Philippa Herz: Of all the areas of risk where you are calculating capital, operational risk is the one that everybody has an opinion on. If you are looking at an area of risk that is perhaps a little bit more specialised, like mortality risk, people are not all going to be delving into the detail to the same extent.
Board members have all got their own experiences to relate to, whether it has been an IT failure or a fraud or whatever that they have lived through and had to manage in their executive lives.
I think it is important, though, that they can see some correspondence between how your operational risk capital number is built up and actually what is on their agenda.
This article is one of three in series about operational risk. The others are:
Operational risk: is quantification or control more critical? (22 January 2014), covers quantifying op risk, risk frameworks, capital charges and reporting culture
Managing operational risk is about good business practice (30 January 2014), covers emerging operational risks, improvements to loss data, modelling