About the authors

Dr. ing. Jürgen H.M. van Grinsven is director of Deloitte Enterprise Risk Services and author of the books Improving Operational Risk Management and Risk Management in Financial Institutions.

Drs. Remco Bloemkolk works at ING corporate risk management and has written this article in his personal capacity. Prior to ING he worked at Swiss Re and Ernst & Young.

Introduction.

Historically, insurers have focused on understanding and managing investment and underwriting risk. However, recent developments in operational risk management, guidelines by the rating agencies and the forthcoming Solvency II regime increase insurers’ focus on operational risk. Insurers consequently have to decide on their approach to managing operational risk.

The Solvency II framework consists of three pillars, each covering a different aspect of the economic risks facing insurers, see figure 1. This three-pillar approach aims to align risk measurement and risk management. The first pillar relates to the quantitative requirement for insurers to understand the nature of their risk exposure. As such, insurers need to hold sufficient regulatory capital to ensure that (with a 99.5% probability over a one-year period) they are protected against adverse events. The second pillar deals with the qualitative aspects and sets out requirements for the governance and risk management of insurers. The third pillar focuses on disclosure and transparency requirements by seeking to harmonise reporting and provide insight into insurers’ risk and return profiles.

Solvency II (SII) is the updated set of regulatory requirements for insurance companies operating in the European Union. It revises the existing capital adequacy regime and is expected to come into force in 2012. It has a number of expected benefits, both for insurers and consumers. Although the most obvious benefit seems to be preventing catastrophic losses, other less obvious benefits which are considered to be important are summarised in table 1.

Table 1.

These expected benefits make SII an increasingly important issue for insurers. Not surprisingly, solvency has evolved into an academic discipline of its own and much of its literature is aimed at the quantitative requirements. Yet, despite the progress made in SII, the next section indicates that insurers will also encounter a number of difficulties and challenges in operational risk before they can utilise these expected benefits.

The importance of operational risk in Solvency II.

Over the past few decades many insurers have capitalised on the market and have developed new business services for their clients. On the other hand, the operational risk that these insurers face have become more complex, more potentially devastating and more difficult to anticipate. Although operational risk is possibly the largest threat to the solvency of insurers, it is a relatively new risk category for them. It has been identified as a separate risk category in Solvency II. Operational risk is defined as the capital charge for ‘the risk of loss arising from inadequate or failed internal processes, people, systems or external events’. This definition is based on the underlying causes of such risks and seeks to identify why an operational risk loss happened, see figure 2. It also indicates that operational risk losses result from complex and non-linear interactions between risk and business processes.

Figure 2.

Several studies in different countries have attributed insurance company failure to under-reserving, under-pricing, under-supervised delegating of underwriting authority, rapid expansion into unfamiliar markets, reckless management, abuse of reinsurance, shortcomings in internal controls and a lack of segregation of duties. See the examples below. Unbundling operational risk from other risk types in risk management and risk measurement can help prevent future failures. This holds true for smaller and larger losses. Often, larger losses are the cumulative effect of a number of smaller losses. In other words, the result of the bad practices that flourish in excellent economic circumstances, when the main focus is on managing the business rather than operational risks.
Unbundling operational risk from the other types of risk involved in managing and measuring risk may help prevent future failures.

Examples of insurer company failure:

Insurance company failures in which operational risk played a significant role include:

• The near-collapse of Equitable Life Insurance Society in the UK, which resulted from of a culture of manipulation and concealment, where the insurer failed to communicate details of its finances to policyholders or regulators.

• The failure of HIH Insurance, which resulted from the dissemination of false information, money being obtained by false or misleading statements and intentional dishonesty).

• American International Group (AIG) and Marsh, where the CEOs were forced from office following allegations of bid-rigging. Bid rigging, which involves two or more competitors arranging non-competitive bids, is illegal in most countries.

• Delta Lloyd, Fortis ASR and Nationale Nederlanden (the Netherlands) agreed to compensate holders of unit-linked insurance policies for the lack of transparency in the product cost structures.

The above examples illustrate that such losses are not isolated incidents in the insurance industry, but instead occur with some regularity. The large loss events mentioned above can be drilled down into operational risk categories. Table 2 presents several examples of operational risk categories and insurer exposure.

Table 2.

Difficulties and challenges in insurers’ operational risk management.

Insurers have not historically gathered operational risk data across their range of activities. As a result, the major difficulties and challenges that insurers face are closely related to the identification and estimation of the level of exposure to operational risk. A distinction can be made between internal and external loss data, risk self-assessment, supporting techniques, tools and governance. See table 3 for an overview.

Table 3.

Loss data form the basis for measuring operational risk. Although internal loss data are considered the most important source of information, they are generally insufficient because of a lack and the often poor quality of such data. Insurers can overcome these problems by supplementing their internal loss data with external loss data from consortia such as ORX and ORIC. However, using external loss data raises a number of methodological issues, including the problems of reliability, consistency and aggregation. Insurers consequently need to develop documentation and improve the quality of their data and data-gathering techniques.
Risk self-assessment (scenario analysis) can be an extremely useful way to overcome the problems of internal and external loss data. It can be used in situations in which it is impossible to construct a probability distribution, whether for reasons of cost or because of technical difficulties, internal and external data issues, regulatory requirements or the uniqueness of a situation. It also enables insurers to capture risks that relate, for example, to new technology and products as these risks are not likely to be captured by historic loss data. However, current scenario analysis methods are often too complex, not used consistently throughout a group and do not take adequate account of the insurer’s strategic direction, business environment and appetite for risk.
The techniques and tools that insurers use to support risk self-assessments are often ineffective, inefficient and not successfully implemented. Research indicates that 19.5% of current practices are often not shared within the group, while 22% of respondents are dissatisfied and 11% very dissatisfied with the quality of their information technology support services. Another question that can be raised is the governance of risk management. How, for example, are the risk and actuarial departments aligned?

Operational risk may represent the greatest threat to insurers.

Conclusions.

In this article we discussed operational risk in the context of Solvency II. Operational risk is possibly the largest threat to insurers. This is because operational risk losses result from complex and non-linear interactions between risk and business processes. Unbundling operational risk from the other types of risk in risk management and risk measurement can help prevent future failures for insurers. SII is on track to put greater emphasis on the link between risk management and risk measurement of operational risk. We have addressed the most important difficulties and challenges in operational risk management: loss data, risk management, tools, techniques and governance. Those insurers able to ensure an effective response to these major difficulties and challenges are expected to achieve a significant competitive advantage.

Related articles by Zemanta

• Ex-AIG Chief Claims Insurance Giant Cheated Him (abcnews.go.com)
• As A.I.G.’s Losses Grow, Its Survival Options Shrink (nytimes.com)