UK insurers face "hard yards" to implement operational resilience rules

Published in: Risk management, Conduct risk, Corporate strategy, Regulation, UK

Companies: Oric International, Sicsic Advisory

Less than a third of insurance and investment firms have agreed what their important business services are, with just over six months to go before a key deadline under new UK operational resilience regulation.

This is the key finding from research conducted by UK-based operational risk consortium Oric International (Oric) and London-based consultancy Sicsic Advisory, which set out to measure firms’ readiness and compare their definitions of important business services.

The survey received 44 responses across life, general insurance, reinsurance and investment management.

It revealed two tiers of readiness: 13 of the 44 respondents (30%) have already got board sign-off for their definitions and mappings, while the same number marked themselves six out of 10 or lower for readiness.

In general, life insurers consider themselves the least prepared, and investment managers the most.

Oric chief executive Caroline Coombe said: “Despite the final regulations only being released in March 2021, an encouraging number of respondents are well advanced in having identified their important business services.”

“However, the hard yards are approaching for the [30%] of firms who are at best half-way complete and may need to accelerate their programme delivery.”

Speaking to InsuranceERM, Michael Sicsic, managing director of Sicsic Advisory, said across the re/insurance and investment sectors surveyed, “people have focused a lot on customers and FCA objectives, and less on prudential objectives. This is a key takeaway from the survey.”

Final operational resilience rules in the UK were announced earlier this year.

By 31 March 2022, insurance firms, larger intermediaries and investment managers are required to have identified all their important business services, impact tolerances and completed sufficient mapping and testing to identify vulnerabilities. 

Following this deadline, there will be a three-year transitional period to 31 March 2025 for firms to demonstrate that they can remain within their impact tolerances for important business services in severe, but plausible scenarios.

Sicsic said achieving operational resilience needs to be seen as a long-term project, rather than meeting the regulatory deadline. 

Coombe told InsuranceERM that together with Sicsic Advisory, Oric is looking to develop “the Op-Res index”, as a benchmarking service collecting and comparing impact tolerance data for important business services across the market, which will be overlaid with risk and scenario data collected by Oric.

  • Insurers discussed the challenges in complying with the new operational resilience rules in a June InsuranceERM roundtable with consultancy Crowe.

    Part one covers the process of identifying of important business services, the timescale for implementation, setting impact tolerances and working with suppliers.

    Part two covers engagement with the business, assigning responsibility and finding value for the business.

Ronan McCaughey